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Abstract 


We present a mathematical state-machine model, the Dynamic I/O Automaton (DIOA) 
model, for defining and analyzing dynamic systems of interacting components. The systems we 
consider are dynamic in two senses: (1) components can be created and destroyed as computation 
proceeds, and (2) the events in which the components may participate may change. The new 
model admits a notion of external system behavior, based on sets of traces. It also features 
a parallel composition operator for dynamic systems, which respects external behavior, and a 
notion of simulation from one dynamic system to another, which can be used to prove that one 
system implements the other. 

We establish fundamental compositionality results for DIOA: if one component is replaced 
by another whose traces are a subset of the former, then the set of traces of the system as a 
whole can only be reduced, and not increased, i.e., no new behaviors are added. This permits the 
refinement of components and subsystems in isolation from the entire system. It also provides the 
foundation for a design methodology based solely on the notion of externally visible behavior. 
This is in contrast to, for example, the z-calculus, where a component can be replaced by 
another only by establishing a bisimulation between components, i.e., a relationship between 
components based on their internal state-transitions, rather than the externally visible actions 
at their interface. As is well-known, simulation and bisimulation relations are incomplete with 
respect to trace inclusion. Hence, our approach is more abstract and complete: it permits the 
refinement of one component by another in cases which the z-calculus could not accommodate. 

The DIOA model was defined to support the analysis of mobile agent systems, in a joint 
project with researchers at Nippon Telegraph and Telephone. It can also be used for other 
forms of dynamic systems, such as systems described by means of object-oriented programs, 
and systems containing services with changing access permissions. 


'The first author was supported by the National Science Foundation under Grant No. CCR-0204432. 


1 Introduction 


Many modern distributed systems are dynamic: they involve changing sets of components, which are 
created and destroyed as computation proceeds, and changing capabilities for existing components. 
For example, programs written in object-oriented languages such as Java involve objects that create 
new objects as needed, and create new references to existing objects. Mobile agent systems involve 
agents that create and destroy other agents, travel to different network locations, and transfer 
communication capabilities. 


To describe and analyze such distributed systems rigorously, one needs an appropriate math- 
ematical foundation: a state-machine-based framework that allows modeling of individual compo- 
nents and their interactions and changes. The framework should admit standard modeling methods 
such as parallel composition and levels of abstraction, and standard proof methods such as invari- 
ants and simulation relations. At the same time, the framework should be simple enough to use as 
a basis for distributed algorithm analysis. 


Static mathematical models like I/O automata [LT89] could be used for this purpose, with 
the addition of some extra structure (special Boolean flags) for modeling dynamic aspects. For 
example, in [LMWF94], dynamically-created transactions were modeled as if they existed all along, 
but were “awakened” upon execution of special create actions. However, dynamic behavior has by 
now become so prevalent that it deserves to be modeled directly. The main challenge is to identify 
a small, simple set of constructs that can be used as a basis for describing most interesting dynamic 
systems. 


In this paper, we present our proposal for such a model: the Dynamic I/O Automaton (DIOA) 
model. Our basic idea is to extend I/O automata with the ability to change their signatures 
dynamically, and to create other I/O automata. We then combine such extended automata into 
global configurations. The DIOA model admits a notion of external system behavior, based on 
sets of traces. It also features a parallel composition operator for dynamic systems, which respects 
external behavior (traces) and satisfies standard execution projection/pasting and trace pasting 
results, and a notion of simulation relation from one dynamic system X to another dynamic system 
Y, which can be used to prove that X implements Y. 


To express dynamic aspects, DIOA augments the I/O automaton model with: 


e Creation of automata: an automaton can “create” a new automaton. The execution of an 
action a of an automaton can, as a side effect, cause the creation of a set of automata, if 
these are not already present. We call automata that can create other automata signature 
I/O automata, abbreviated as SIOA. 


e Two-level semantics: Due to the introduction of dynamic automaton creation, the semantics 
of an automaton is no longer accurately given by its transition relation. The effect of creation 
must also be considered. Thus, the semantics is given by a second class of automata, called 
configuration automata. Each state of a configuration automaton is mapped to the collection 
of signature I/O automata that are currently “awake,” together with the current local state 
of each one. 


e Variable signatures: The signature of an SIOA is a function of its state, and so can change 
as the SIOA makes state transitions. In particular, an SIOA “dies” by changing its signature 
to the empty set, after which it is incapable of performing any action. 


We defined the DIOA model initially to support the analysis of mobile agent systems, in a joint 
project with researchers at Nippon Telephone and Telegraph. Creation and destruction of agents 
are modeled directly within the DIOA model. Other important agent concepts such as changing 
locations and capabilities are described in terms of changing signatures, using additional structure. 
Our preliminary work on modeling and analyzing agent systems appeared in the NASA workshop 
on formal methods for agent systems [AAK*00]. We are currently considering the use of DIOA 
to model and analyze object-oriented programs; here, creation of new objects is modeled directly, 
while addition of references is modeled as a signature change. 


One issue that arises in systems where components can be created dynamically is that of 
clones: suppose a particular component is created twice, in succession. In general, this can result 
in the creation of two (or more) indistinguishable copies of the component, known as clones. We 
make the fundamental assumption in our model that this siutation does not arise: components can 
always be distinguished, for example, by a logical timestamp at the time of creation. This absence 
of clones assumption does not preclude reasoning about situations in which an SIOA A, cannot 
be distinguished from another SIOA Ag by the other SIOA in the system. This could occur, for 
example, due to a malicious host which “replicates” agents that visit it. We distinguish between 
such replicas at the meta-theoretic level by assigning unique identifiers to each. These identifiers 
are not available to the other SIOA in the system, which remain unable to tell A; and A» apart, for 
example in the sense of the “knowledge” [HM90] about A; and Ag which the other SIOA possess. 


Related work: Most approaches to the modeling of dynamic systems are based on a process 
algebra, in particular, the z-calculus [Mil99] or one of its variants. Such approaches [CG00, FGL™ 96, 
RH98] model dynamic aspects by introducing channels and/or locations (names) as basic notions. 
Our model makes a different choice of primitive notion, it chooses actions and automata, as primitive, 
and does not include channels and their transmission as primitive. Our approach is also different 
in that it is primarily a (set-theoretic) mathematical model, rather than a formal language and 
calculus. We expect that notions such as channel and location will be built upon the basic model 
using additional layers (as we do for modeling agent mobility in terms of signature change). Also, 
we ignore issues (e.g., syntax) that are important when designing a programming language (the 
“precondition-effect” notation in which we present an example is informal, and is not part of our 
model). Another difference with process-algebraic approaches is that we use trace inclusion for 
for refinement, rather than bisimulation. This allows us more latitude in refinement, in two ways. 
First, trace inclusion permits the implementation to have fewer externally visible behaviors (traces) 
than the specification, whereas bisimulation requires equality of the trace sets of implementation 
and specification. Second, a refinement relation based only on the externally visible behavior 
is necessarilymore abstract than one based on the internal state-transitions. It is well-known 
that simulation is incomplete with respect to trace inclusion: there are simple examples of trace- 
inclusion that cannot be established by means of a (forward) simulation relation. Our example 
will demonstrate the advantages of our approach. Finally, our model has a well-defined notion of 
projection onto a subsystem. This is a crucial pre-requisite for compositional reasoning, and is 
usually missing from process-algebraic approaches. 


The paper is organized as follows. Section 2 presents signature I/O automata. Section 3 
presents execution projection and pasting results, trace pasting results, and trace substitutivity 
results. These provide the basis for compositional reasoning in our model. Section 5 shows how 
configuration automata are built up from signature I/O automata. Section 6 extends our compo- 
sitional reasoning results to configuration automata. Section 4 proposes an appropriate notion of 
forward simulation for DIOA. Section 7 discusses how mobility and locations can be modeled in 


DIOA. Section 8 presents an example: an agent whose purpose is to traverse a set of databases in 
search of a satisfactory airline flight, and to purchase such a flight if it finds it. Section 9 discusses 
further research and concludes. 


2 Signature I/O Automata 


We assume the existence of a set Autids of unique SIOA identifiers, an underlying universal set Auts 
of SIOA, and a mapping aut : Autids ++ Auts. aut(A) is the SIOA with identifier A. We use “the 
automaton A” to mean “the SIOA with identifier A”. We use the letters A, B, possibly subscripted 
or primed, for SIOA identifiers. 


In a particular state s, the executable actions are drawn from a signature sig(A)(s) = (in(A)(s), 
out(A)(s), int(A)(s)), called the state signature, which is a function of its current state. in(A)(s), 
out(A)(s), int(A)(s) are pairwise disjoint sets of input, output, and internal actions, respectively. 
We define ext(A)(s), the external signature of A in state s, to be ext(A)(s) = (in(A)(s), out(A)(s)). 


For any signature component, generally, the ~ operator yields the union of sets of actions 
within the signature, e.g., sig(A)(s) = in(A)(s) U out(A)(s) U int(A)(s). 


Definition 1 (SIOA) An SIOA aut(A) consists of the following components 


1. A set states(A) of states. 
2. A nonempty set start(A) C states(A) of start states. 
3. A signature mapping sig(A) where for each s € states(A), sig(A)(s) = (in(A)(s), out(A)(s), int(A)(s)). 


4. A transition relation steps(A) C states(A) x acts(A) x states(A), where acts(A) = Usestates( 4) sig(A)(s). 
and satisfies the following constraints on those components: 


1. V(s,a, 8’) € steps(A) : a € sig(A)(s). 
2. Ys € states(A),Va € in(A)(s), ds’ : (s,a,s’) € steps(A) 
3. Vs € states(A), in(A)(s) M out(A)(s) = in(A)(s) M int(A)(s) = out(A)(s) N int(A)(s) 


Constraint 1 requires that any executed action be in the signature of the initial state of the 
transition. Constraint 2 extends the input enabling requirement of I/O automata to SIOA. Con- 
straint 3 requires that in any state, an action cannot be both an input and an output, etc. However, 
the same action can be an input in one state and an output in another. This is in contrast to ordi- 
nary I/O automata, where the signature of an automaton is fixed once and for all, and cannot vary 
with the state. Thus, an action is either always an input, always an output, or always an internal. 


If (s,a,s’) € steps(A), we also write s >, s'. For sake of brevity, we write states(A) instead 
of states(aut(A)), i.e., the components of an automaton are identified by applying the appropriate 
selector function to the automaton identifier, rather than the automaton itself. 


The components in(A)(s), out(A)(s), int(A)(s) are the input, output, and internal actions of 
sig(A)(s). We define ext(A)(s) = (in(A)(s), out(A)(s)). 


Definition 2 (Execution, trace of SIOA) An execution fragment a of an SIOA A is a nonempty 
(finite or infinite) sequence s9a,s1a2... of alternating states and actions such that (s;-1,a;,8;) € 

steps(A) for each triple (s;-1,a;,;) occurring in a. Also, a ends in a state if it is finite. An 

execution of A is an execution fragment of A whose first state is in start(A). execs(A) denotes the 

set of executions of SIOA A. 


Given an execution fragment a = soa ,81a2... of A, the trace of a (denoted trace(a)) is the 
sequence that results from 


1. remove all a; such that a; ¢ ext(A)(s;_1), 1.€., a; is an internal action of 8,1, and then 
2. replace each s; by its external signature ext(A)(s;), and then 


3. replace each maximal block ext(A)(s;),... ,ext(A)(si4,) such that (Vj :0< 9 <k: ext(A)(si4;) = 
ext(A)(s;)) by ext(A)(s;), t-e., replace each maximal block of identical external signatures by 


a single representative. (Note: also applies to an infinite suffix of identical signatures, i.e., 
ety 


Thus, a trace is a sequence of external actions and external signatures that starts with an external 
signature. Also, if the trace is finite, then it ends with an external signature. Traces are our notion 
of externally visible behavior. A trace 6 of an execution @ exposes the external actions along a, 
and the external signatures of states along a, except that repeated identical external signatures 
along @ do not show up in £. Thus, the external signature of the first state of a, and then all 
subsequent changes to the external signature, are made visible in G. traces(A), the set of traces of 
an SIOA A, is the set {6 | da € execs(A) : 6 = trace(a)}. We write s—*+ 4s! iff there exists an 
execution fragment a of A starting in s and ending in s’. If a state s lies along some execution, 
then we say that s is reachable. Otherwise, s is unreachable. 


The length |a| of a finite execution a is the number of transitions along a. The length of 
an infinite execution is infinite (w). If |a| = 0, then a consists of a single state. If execution 
Q = 89a18 a2..., then for 0 < 7 < |al, define al; = spas 1a2...a;s;. We define a conatenation 
operator —~ for executions as follows. If a’ = soa ,s,a2...aj8; is a finite execution fragment and 
al’ = tobi t,b2... is an execution fragment, then a’ ~ a” is defined to be the execution fragment 
$0018 a2... ajtobityb2... only when s; = to. If s; 4 to, then a’ ~ a” is undefined. 


2.1 Parallel Composition of Signature I/O Automata 


The operation of composing a finite number n of SIOA together gives the technical definition of 
the idea of n SIOA executing concurrently. As with ordinary I/O automata, we require that the 
signatures of the SIOA be compatible, in the usual sense that there are no common outputs, and 
no internal action of one automaton is an action of another. 


Definition 3 (Compatible signatures) Let S be a set of signatures. Then S is compatible iff, 
for all sig € S, sig’ € S, where sig = (in, out, int), sig’ = (in', out’, int’) and sig 4 sig’, we have: 


1. (in Uout Uint) Nint’ = 0, and 


2. out Nout! = 9. 


Since the signatures of SIOA vary with the state, we require compatibility for all possible 
combinations of states of the automata being composed. Our definition is “conservative” in that 
it requires compatibility for all combinations of states, not just those that are reachable in the 
execution of the composed automaton. This results in significantly simpler and cleaner definitions, 
and does not detract from the applicability of the theory. 


Definition 4 (Compatible SIOA) Let Aj,...,An, be SIOA. Aj,...,An are compatible if and 
only if for every (81,...,5n) © states(A1) x --- x states(An), {sig(A1)(s1),-.. , sig(An)(Sn)} is a 
compatible set of signatures. 


Definition 5 (Composition of Signatures) Let © = (in, out,int) and X! = (in’, out’, int’) be 
compatible signatures. Then we define their composition © x X! = (in U in! — (out U out’), out U 
out’, int Uint’). 


Signature composition is clearly commutative and associative. We therefore use [| for the n-ary 
version of x. Let [n] a {i [Loess at. 


As with I/O automata, the SIOA synchronize on same-named actions. To devise a theory that 


accommodates the hierarchical construction of systems, we ensure that the composition of n SIOA 
is itself an SIOA. 


Definition 6 (Composition of SIOA) Let Aj,...,An, be compatible SIOA. Then A = Aj, || 
--+ || Ay is the state-machine consisting of the following components: 


1. A set of states states(A) = states(A,) x --- x states(An) 
2. A set of start states start(A) = start(A,) x --- x start(An) 


3. A signature mapping sig(A) as follows. For each s = (s1,...,8n) € states(A), sig(A)(s) = 
sig(A1)(s1) x +++ x sig(An) (Sn) 


4. A transition relation steps(A) C states(A) x acts(A) x states(A) which is the set of all 
(S495 earings Lis os 5 ba) steh that 


(a) a € sig(A1)(s1) U...U sig(An)(Sn), and 
(b) for alli € [n]: ifae sig(A;)(s;), then (s;,a,t;) € steps(A;), otherwise s; = t; 


If s = (s1,... ,8n) € states(A), then define s| A; = s;, for i € [n]. 


Since our goal is to deal with dynamic systems, we must define the composition of a variable 
number of SIOA at some point. We do this below in Section 5, where we deal with creation and 
destruction of SIOA. Roughly speaking, parallel composition is intended to model the composition 
of a finite number of large systems, for example a local-area network together with all of the 
attached hosts. Within each system however, an unbounded number of new components, for 
example processes, threads, or software agents, can be created. Thus, at any time, there is a finite 
but unbounded number of components in each system, and a finite, fixed, number of “top level” 
systems. 


Proposition 1 Let Aj,...,An, be compatible SIOA. Then A= A, ||--- || An is an SIOA. 


Proof: We must show that A satisfies the constraints of Definition 1. We deal with each constraint 
in turn. 


Constraint 1: Let (s,a,s’) € edge Then, s can be written as (s1,...,8,). From Defini- 
tion 6, clause 4, a € sig(A1)(s1) U-..U sig(An) (Sn) From Definition 6, clause 3, sig(A1)(s1) U...U 
sig(An)(8n) = sig(A)(s). Hence a € 5g A (s). 


) 
Constraint 2: Let s € states(A), a € in(A)(s). Then, s can be written as (s1,...,$n,). From 
Definition 6, clause 3, a € (Uj<j<y, im(Ai)(si)) — out(A)(s). Hence, there exists y C {1,... ,n} 


such that Vi € y : a € in(A;)(s;), and Vi € {1,... .n} — yp: a ¢ sig(A;)(s;). Since each A; satisfies 
Constraint 2 of Definition 1, we have: 


Vi € yp: At; : (s;,a,t;) € steps(A;) 
By Definition 6, Clause 4, 
At : (s,a,t) € steps(A), where Vi € yp: tli =t;, and Wi € {1,... .n}-—gp:th= 5. 


Hence Constraint 2 is satisfied. 


Constraint 3: Each A; satisfies Constraint 3 of Definition 1. From this and Definitions 6 and 5, it 
is each to see that A also satisfies Constraint 3. o 


2.2 Action Hiding for Signature I/O Automata 


The operation of action hiding allows us to convert output actions into internal actions, and is 
useful in specifying the set of actions that are to be visible at the interface of a system. 


Definition 7 (Action hiding for SIOA) Let A be an SIOA and & a set of actions. Then A\ & 
is the state-machine given by: 

1. A set of states states(A \ %) = states(A) 

2. A set of start states start(A \ ©) = start(A) 


3. A signature mapping sig(A) as follows. For each s € states(A), 
sig(A \ X)(s) = (in(A \ ¥)(s), out(A \ %)(s), int(A \ B)(s)), where 
(a) out(A \ %)(s) = out(A)(s) — 
(b) in(A \ X)(s) = in(A)(s) 
(c) int(A \ %)(s) = int(A)(s 


) U (out(A)(s) 1%) 
4. A transition relation steps(A \ X) = steps(A) 


Proposition 2 Let A be an SIOA and & a set of actions. Then A\ & is an SIOA. 


Proof: We must show that A \ & satisfies the constraints of Definition 1. We deal with each 
constraint in turn. 


Constraint 1: From Definition 7, we have, for any s € states(A\ X): sig(A \ X)(s) = (out(A)(s) — 


&)Uin(A)(s)U(int (A) (s)U(out (A) (s)NZ)) = ((out (A) (s)—X)U(out (A)(s)NX))Uin (A) (s)Uint(A)(s) 
= out(A)(s) U in(A)(s) U int(A)(s) = sig(A)(s). 


Since A is an SIOA, we have V(s,a,s') € steps(A) : a € sig(A)(s). From Definition 7, 
steps(A \ 4) = steps(A). Hence, V(s,a,s’) € steps(A \ %): a € sig(A \ B)(s). Thus, Constraint 1 
holds for A \ &. 


Constraint 2: From Definition 7, states(A \ X) = states(A), steps(A \ %) = steps(A), and for all 
8 € states(A \ X), in(A \ X)(s) = in(A)(s). 
Since A is an SIOA, we have Constraint 2 for A: 
Vs € states(A),Va € in(A)(s), Js’ : (s,a,s') € steps(A). 
Hence, we also have 
Vs € states(A \ %),Va € in(A \ ¥)(s), ds’ : (s,a, 8’) € steps(A \ d). 
Hence Constraint 2 holds for A \ &. 


Constraint 3: A satisfies Constraint 3 of Definition 1. From this and Definitions 6 and 5, it is each 
to see that A \ = also satisfies Constraint 3. O 


2.3 Action Renaming for Signature I/O Automata 


The operation of action renaming allows us to rename actions uniformly, that is, all occurrences 
of an action name are replaced by another action name, and the mapping is also one-to-one. This 
is useful in defining “parameterized” systems, in which there are many instances of a “generic” 
component, all of which have similar functionality. Examples of this include the servers in a client- 
server system, the components of a distributed database system, and hosts in a network. 


Definition 8 (Action renaming for SIOA) Let A be an SIOA and let p be an injective mapping 
from actions to actions whose domain includes acts(A). Then p(A) is the state machine given by: 


1. start(p(A)) = start(A) 

2. states(p(A)) = states(A) 

3. for each s € states(A), sig(p(A))(s) = (in(p(A))(s), out(p(A))(s), int(p(A))(s)), where 
(a) out(p(A))(s) = p(out(A)(s)) 
(b) in(p(A))(s) = plin(A)(s)) 
(c) int(p(A))(s) = p(int(A)(s)) 

4. A transition relation steps(p(A)) = {(s, p(a),t) | (s,a,t) € steps(A)} 


Proposition 3 Let A be an SIOA and let p be an injective mapping from actions to actions whose 
domain includes acts(A). Then, p(A) is an SIOA. 


Proof: We must show that p(A) satisfies the constraints of Definition 1. We deal with each 
constraint in turn. 


Constraint 1: From Definition 8, we have, for any s € states(p(A)): sig(p(A))(s) 
in(p(A))(s) U int(p(A))(s) = plout(A)(s)) U p(in(A)(s)) U plint(A)(s)) = p(sig( 


= I 
—~ 
wD 
a” 
wa” 


Since A is an SIOA, we have V(s,a,s’) € steps(A) : a € sig(A)(s). From Definition 8, 
steps(p(A)) = {(s, e(a), t) | (s,4,t) € steps(A)} 

Hence, if (s,p(a),¢) is an arbitrary element of steps(p(A)), then (s,a,t) € steps(A), and 
so a € 8ig(A)(s). Hence p(a) € p(sig(A)(s)). Since p(sig(A)(s)) = = sig(p(A))(s), we conclude 
p(a) € sig(p(A))(s). Hence, V(s, p(a), s’) € steps(p(A)) : p(a) € sig(p(A))(s). Thus, Constraint 1 
holds for p(A). 


Constraint 2: From Definition 8, states(p(A)) = states(A), steps(p(A)) = {(s, p(a),t) | (s,a,t) € 
steps(A)}, and for all s € states(p(A)), in(p(A))(s) = p(in(A)(s)). 
Since A is an SIOA, we have Constraint 2 for A: 
Vs € states(A),Va € in(A)(s), Js’ : (s,a,s’) € steps(A). 
Hence, we also have 
Vs € states(p(A)),Va € in(p(A))(s), ds’ : (s,a, 8’) € steps(p(A)). 
Hence Constraint 2 holds for p(A). 


Constraint 3: A satisfies Constraint 3 of Definition 1. From this and Definitions 6 and 5, it is each 
to see that (A) also satisfies Constraint 3. oO 


3 Compositional Reasoning for Signature I/O Automata 


To confirm that our model provides a reasonable notion of concurrent composition, which has 
expected properties, and to enable compositional reasoning, we establish execution “projection” 
and “pasting” results for compositions. We deal with both execution projection/pasting, and also 
with trace pasting. 


3.1 Execution Projection and Pasting for SIOA 


Given a parallel composition A = A, || --- || A, of n SIOA, we define the projection of an 
alternating sequence of states and actions of A onto one of the Aj, 7 € [n], in the usual way: the 
state components for all SIOA other than A; are removed, and so are all actions in which A; does 
not participate. 


Definition 9 (Execution projection for SIOA) Let A= A, || --- || An be an SIOA. Let a be a 
SEQUENCE 801814282... $;-1a;8;... where Vj > 0,8; = (8;1,--- ,Sjn) € states(A) and Vj > 0,a; € 
sig(A)(s;-1). Then, for i € [n], define al A; to be the sequence resulting from: 


1. replacing each s; by its 71’th component s;;, and then 


2. removing all ajs;4 such that a; ¢ sig (Ay) (8;—1,)- 


8; is the component of s; which gives the state of A;. sig(A;)(s;-1,) is the signature of A; 
when in state s;-1,;. Thus, ifa; sig (Ag) (s;—-1,); then the action a; does not occur in the signature 
sig(A;)(s;-1,1), and A; does not participate in the execution of a;. In this case, a; and the following 
state are removed from the projection, since the idea behind execution projection is to retain only 
the state of A;, and only the actions which A; participates in. Note that we do not require a to 


actually be an execution of A, since this is unnecessary for the definition, and also facilitates the 
statement of execution pasting below. 


Our execution projection result states that the projection of an execution of a composed SIOA 
A= A, ||--- || An onto a component A;, is an execution of Aj. 


Theorem 4 (Execution projection for SIOA) Let A = A, || --- || An be an SIOA. Ifa € 
execs(A) then al A; € execs(Aj). 


Proof: Let a = ugajuyagu2... € execs(A), and let so = uolA;. Then, by Definition 9, so € 
start(A;) and al A; = 8961 51b282... for some 6; 51b282..., where s; € states(A;) for 7 > 1. 
Consider an arbitrary step (s;-1,b;,8;) of a|A;. Since b;s; was not removed in Clause 2 of 
Definition 9, we have 
(1) s; = u,)A; for some k > 0 and such that az € sig (Aj) (ug —11A;) 
(2) b; = ag, and 
(3) sj;-1 = uel A; for the smallest @ such that 
L<kandV¥m:£+1<m<k: dm ¢ sig(Aj)(um_1l Aj) 
From (3) and Definitions 6 and 9, uglA; = ug—1}A;. Hence sj;-1 = ug—1/Aj. From ug—1 ety. 
az € sig(A;)(up—11A;), and Definition 6, we have u,z_1/ A; su, tA;. Hence $;-1 —> 8; from $;-1 = 
Up—1!A; established above and (1), (2). Now s;-1, 8; € states(A;), and so (s;-1,b;,8;) € steps(A). 
Since (s;-1,b;,;) was arbitrarily chosen, we conclude that every step of al A; is a step of Aj. 


Since the first state of a|A; is s9, and so € start(A;), we have established that a|A; is an execution 


Execution pasting is, roughly, an “inverse” of projection. If @ is an alternating sequence of 
states and actions of a composed SIOA A = A; || --- || An such that (1) the projection of a onto 
each A; is an actual execution of A;, and (2) every action of a not involving A; does not change 
the state of A;, then a will be an actual execution of A. Condition (1) is the “inverse” of execution 
projection. Condition (2) is a consistency condition which requires that A; cannot “spuriously” 
change its state when an action not in the current signature of A; is executed. 


Theorem 5 (Execution pasting for SIOA) Let A = A, || --- || An be an SIOA. Let a be a 
SEQUENCE 894181428... $;-10;8;... where Vj > 0,8; = (8;1,--- ,Sjn) € states(A) and Vj > 0,a; € 
sig(A)(s;-1). Furthermore, suppose that 

1. for all 1 <i<n: alA; € execs(A;), and 

2. for all 7 >0: if aj ¢g sig (Ax) (sj—1,) then Sj-1ji = S4,i- 


Then, a € etecs(A). 


Proof: We shall establish, by induction on 7: 
for all j > 0, al; € execs(A). (*) 


From which we can conclude so € start(A) and Vj > 0: (s;-1,a;,5;) € steps(A). Definition 2 then 
implies the desired conclusion, a@ € execs(A). 


Base case: j =0. 

So al; = so. Now so = (s0,1,--- Son) by assumption. By Definition 9, soj is the first state of 
al Aj, for 1 <i <n. By clause 1, af A; € execs(A;), and so so; € start(A;), for 1 <i <n. Thus, 
by Definition 6, s9 € start(A). 

Induction step: 7 > 0. 

Assume the induction hypothesis: 


a|j—1 € execs(A) (ind. hyp.) 


and establish al ; € enecs(A). By Definition 2, it is clearly sufficient to establish s;_1 os, By 
assumption, a; € sig(A)(s;-1). 

Let y C {1,... ma} be the unique set such that Vi € y : aj € sig (Ay) (8j-11 As) and Vi € 
{1,...,n}-—y: a; ¢ sig(Aj)(s;-1!A;). Thus, by Definition 9: 

Vi € w: (8;-11Aj,a;, 8; [A;) lies along af Aj. 
Since Vi € {1,... ,n}: al A; € execs(A;) and A; is an SIOA, 
Vi € yp: 85-11A; re 85 Aj. 
Also, by clause 2, 
Vi € {1,... ,n} — g: 87-11 Ay = 8; [ Aj. 
By Definition 6 
(33-11 A1,... ,8j-11An) LoPieeg (s;[Ai,... ,8;lAn) 

Hence 


a; 
Sj-1—7A $j: 


From the induction hypothesis a|;-; € execs(A) and sj—1 aes s; and Definition 6, we have 
al; € execs(A). O 


3.2 Trace Pasting for SIOA 


We deal only with trace pasting, and not trace projection. Trace projection is not well-defined since 
a trace of A = A, || --- || An does not contain information about the A;,7 € [n]. Since the external 
signatures of each A; vary, there is no way of determining, from a trace 8, which A; participate 
in each action along 8. Thus, the projection of 6 onto some A; cannot be recovered from £ itself, 
but only from an execution a whose trace is 8. Since there are in general, several such executions, 
the projection of 6 onto A; can be different, depending on which execution we select. Hence, the 
projection of 6 onto A; is not well-defined as a single trace. It could be defined as a set of traces: 
BIA; = traces(execs(A;)(G)). We do not pursue this avenue here. 


We find it sufficient to deal only with trace pasting, since we are able to establish our main 
result, trace substitutivity, which states that replacing an SIOA in a parallel composition by one 
whose traces are a subset of the former’s, results in a parallel composition whose traces are a subset 
of the original parallel composition’s. In other words, trace-containment is monotonic with respect 
to parallel composition. 


Let © = (in, out, int) and ¥! = (in’, out’, int’) be signatures. We define © = in U out Uint, and 
XC YY to mean in C in! and out C out’ and int C int’. 
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Definition 10 (Pretrace) A pretrace y = y(1)y(2)... is a nonempty sequence such that 


1. For alli > 1, (4) is an external signature or an action 
2. y(1) is an external signature 
3. No two successive elements of y are actions 


4. For alli > 1, if y(t) ts an action a, then y(i — 1) is an external signature containing a 
(a € ¥(4 — 1)) 


5. If y is finite, then it ends in an external signature 


The notion of a pretrace is similar to that of a trace, but it permits “stuttering”: the (possibly 
infinite) repetition of the same external signature. This simplifies the subsequent proofs, since it 
allows us to “stretch” and “compress” pretraces corresponding to different SIOA so that they “line 
up” nicely. Our definition of a pretrace does not depend on a particular SIOA, i.e, we have not 
defined “a pretrace of an SIOA A,” but rather just a pretrace in general. We define “pretrace of 
an SIOA A” below. 


Definition 11 (Reduction of pretrace to a trace) Let y be a pretrace. Then r(7) is the result 
of replacing all maximal blocks of identical external signatures in y by a single representative. In 
particular, if y has an infinite suffix consisting of repetitions of an external signature, then that is 
replaced by a single representative. 


If y = r(y), then we say that y is a trace. This defines a notion of trace in general, as opposed to 
“trace of an SIOA A.” We now define stuttering-equivalence (=) for pre-traces. Essentially, if one 
pretrace can be obtained from another by adding and/or removing repeated external signatures, 
then they are stuttering equivalent. 


Definition 12 (~) Let 7,7 be pretraces. Theny = ¥' iff r(y) =1r(9’). 


It is obvious that * is an equivalence relation. Note that every trace is also a pretrace, but not 
necessarily vice-versa, since repeated external signatures (stuttering) are disallowed in traces. The 
length |y| of a finite pretrace y is the number of occurrences of external signatures and actions in ¥. 
The length of an infinite pretrace is w. Let pretrace y = 7(1)7(2).... Then for 0 <i < |y|, define 
Vi = VA)y(2)... (i). We define concatenation for pretraces as simply sequence concatenation, 
and will usually use juxtaposition to denote trace concatenation, but will sometimes use the — 
operator for clarity. The concatenation of two pretraces is always a pretrace (note that this is 
not true of traces, since concatenating two traces can result in a repeated external signature). We 
use <,< for proper prefix, prefix, respectively, of a pretrace: y < 7’ iff there exists a pretrace 
y" such that y = 77", and y < 7’ iffy =~7' or y < 7’. If 7 is a pretrace and y < 7’, then 
satisfies clauses 2-4 of Definition 10, but may not satisfy clause 5. For a sequence y that does 
satisfy clauses 2-4 of Definition 10, define the predicate ispretrace (7) a (last(y) is an external 
signature). 


We now define a predicate zips(y,71,--- ;Y%n) which takes n + 1 pretraces and holds when + 
is a possible result of “zipping” up 71,.--,Yn, as would result when y1,...,7%, are pretraces of 
compatible SIOA Aj,...,An respectively, and y is the corresponding trace of A = Aj || --- || An. 
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Definition 13 (zip of pretraces) Let y, ¥1,.-.,%n all be pretraces (n > 1). The predicate 
zips(Y, V1; shee Yn) holds uf 
fe. 9) =e) = Sa 
2. For alli > 1: if y(t) is an action a, then there exists nonempty y; C [n] such that 
(a) VEE pi: y(t) =a 
(b) WE [n] — gi: Yel — 1) = ye(t) = we +1), Yelt) is an external signature Ty, and a ¢ Ty 


3. For alli > 0: if y(é) is an external signature I, then for all j € [n], y;(4) is an external 
signature Tj, and V = [] jemi Tj. 


4. For alli > 0, if y%— 1) and y(t) are both external signatures, then there exists k € [n] such 
that Vé € [n] —k : ye(t — 1) = ye(t) 


Proposition 6 Let y, ¥1,--- 5. Yn all be pretraces (n > 1). Suppose, zips(y,71,--- +n). Then, for 


alli such that 1 <i < |y| and ispretrace(y|;) (t-e., (2) is an external signature), zips(y|i, Y1li5--- + Ynla) 
holds. 
Proof: Immediate from Definition 13. HT 


We use the zips predicate on pretraces together with the * relation on pretraces to define a 
“zipping” predicate for traces: the trace ( is a possible result of “zipping up” the traces 61,... , Bn 
if there exist pretraces y, 71,---;Yn that are stuttering-equivalent to 61,... ,8, respectively, and 
for which the zips predicate holds. The predicate so defined is named zip. Thus, zips is “zipping 
with stuttering,” as applied to pretraces, and zip is “zipping without stuttering,” as applied to 
traces. 


Definition 14 (zip of traces) Let, 3),... , Gn all be traces (n > 1). The predicate zip(B,61,..- , Bn) 
holds iff there exist pretraces Y, Y1,..- ;Yn such thaty = B, \j € [n] : yj; & Bj, and zips(y, 1,--- Yn): 


Define pretraces(A) = {y | 48 € traces(A) : B = y}. That is, pretraces(A) is the set of 
pretraces which are stuttering-equivalent to some trace of A. An equivalent definition which is 
sometimes more convenient is pretraces(A) = {y | Ja € execs(A) : trace(a) ~ y}. We also define 
pretraces*(A) = {y | y € pretraces(A) and 7¥ is finite }. 


Given y ©€ pretraces(A), we define execs(A)(y) = {a | @ © execs(A) A trace(a) » y}. In 
other words, execs(A)(7) is the set of executions (possibly empty) of A whose trace is stuttering- 
equivalent to y. Also, execs*(A)(y) = {a | a@ © execs*(A) A trace(a) & y}, ie., the set of finite 
executions (possibly empty) of A whose trace is stuttering-equivalent to y. 


Theorem 7 states that if a set of finite pretraces y; of A; respectively, 7 € [n], can be “zipped 
up” to generate a finite pretrace y, then 7 is a pretrace of A, || --- || An, and furthermore, any set of 
executions corresponding to the y; can be pasted together to generate an execution of Aj || --- || An 
corresponding to y. Theorem 7 is established by induction on the length of y, and the explicit use 
of executions corresponding to the pretraces y, 71,--- Yn, is meeded to make the induction go 
through. 
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Theorem 7 (Finite-pretrace pasting for SIOA) Let Aj,...,An be compatible SIOA, and let 
A= A, ||--: || An. Let y be a finite pretrace. If, for all j € [n], 7% € pretraces*(A;) can be chosen 
so that zips(y,71;--- Yn) holds, then 


Vay € execs*(A;)(¥1),--- ,Wan € execs* (An) (Yn), 

da € execs*(A) : trace(a) = YA (Ajeinj alA; =a;) 
Proof: Since y; € pretraces*(A;), we easily deduce, from the definitions, that execs*(A,;)(7;) 4 0 
for all j € [n]. For all 7 € [n], fix a; to be an arbitrary element of execs*(A;)(7;). We will assume 
the antecedent of the theorem, that is, y; € pretraces*(A;) for all j € [n] and zips(y,71,--- Yn): 
We will also assume the induction hypothesis for all prefixes of y that are pretraces. We will then 
establish 


da € erecs*(A) : trace(a) = yA (Aje{n) alA; = a;) (=) 
which suffices to establish the theorem. The proof is by induction on |7|, the length of +. 


Base case: |y| = 1. Hence ¥ consists of a single external signature I’. For the rest of the base 
case, let 7 range over [n]. By zips(y,71,--- , Yn) and Definition 13, we have that each 7; consists of 
a single external signature [’;, and [ = Tein) Ij. Since 71,...,Y%m contain no actions, a1,... , Qn 
must contain only internal actions (if any). Furthermore, all the states along aj, j € [n], must have 
the same external signature, namely I’;. 


By Definition 6, we can construct an execution a of A by first executing all the internal actions 
in a, (in the sequence in which they occur in a,), and then executing all the internal actions in 
a2, etc. until we have executed all the actions of a,, in sequence. It immediately follows, by 
Definition 9, that Vj € [n] : a] A; = a;. The external signature of every state along a is ean aes 
ie., [', since the external signature component contributed by each A; is always Tj. Hence, by 
Definition 2, trace(a) + T. Thus, trace(a) ~ y. We have thus established trace(a) ~ y and 
(A je{n] “1 Aj = aj). Hence (*) is established. 


Induction step: |y| > 1. There are two cases to consider, according to Definition 13. 


Case 1: y = al’, y’ is a pretrace, a is an action, and I is an external signature. 
Hence, by Definition 13, we have 
4p,0 Ay C [n]: 
Vk Ep: %% = Yale Aa € last(y%), 
VEE [n]-— pry =e ATs = last(y) Aa Te, 
zips (Y's Nis +* + In) 
P= (rey Ty) x (Teetnj—v Ty). (a) 
For the rest of this case, let 7 range over [n], k range over y, and ¢ range over [n] — y. In (a), we 
have that of € pretraces*(Aj;) for all j, since oF < yj; and y; € pretraces*(Aj;) for all 7, Since we 
also have y' < y and zips(7’,741,--- 7), we can apply the inductive hypothesis for 7’ to obtain 
Val, € erecs*(A1)(y}),--- , Wat, € execs*(An)(¥,) : 
da! € execs*(A) : trace(a’) & 7! AVG € [n] : a’ TA; = al; (b) 
By assumption, ag € execs*(Ax)(y,). Hence, we can find a finite execution aj, and finite execution 
fragment ai! such that ag = aj, ~ (sp “4.4, th) ~ al, where sz = last(a',), ext(Ag) (te) =T'g, and 
t, = first(ai/). Furthermore, aj, € execs*(Ax)(y%,), since ap € execs* (Ag) (Ye), Ye = Yale, and 
eat(A,)(t,) = Ty. Also, aj/ consists entirely of internal actions, and trace(aj) + Ty, ie., every 
state along a has external signature T',. 
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By assumption, ag € execs(Ag)(ye). For all £, let a, = ag, and let sp = ty = last(a,). Hence 
a, € execs(A)(¥;), since 7) & ye. Instantiating (b) for these choices of a’, aj, we obtain, for some 
al: 
(A; a’ TA; = at) Aa! € execs*(A)(7') A 
(Ag (sk: a, te) € steps(Ag)) A (A, ext(Ag) (tr) = Pr). (c) 
By ai, € execs* (Ay) (yp) and s¢ = last(a,), we have ext(Ag)(s¢) = last(y’). Hence, by (a), we have 
ext(Ay)(s~) =Ty. Also, by (a), a g Te. Thus, 
Apa & ext(Ap)(se) A ext(Ae)(se) = Te. (d) 


Also, since Aj,... , Ay are compatible SIOA, we have A, a ¢ int(A,)(s¢). Hence A, a ¢ sig(Ap)(se). 
Now let s = (s1,...,n), and let t = (t1,... ,t,). By (b) and Definition 9, we have s = last(a’). 
By (b), Apa ¢ int(Ag)(se), and Definition 6, we have (s,a,t) € steps(A). Now let a” be a finite 
execution fragment of A constructed as follows. Let ¢ be the first state of a”. Starting from f, 
execute in sequence first all the (internal) transitions along az,, where k, is some element of ¢, 
and then all the (internal) transitions along a,,, where k; is another element of y, etc. until all 
elements of y have been exhausted. Since all the transitions are internal, Definition 6 gives us that 
a” is indeed an execution fragment of A. Furthermore, since no external signatures change along 
any of the a, it follows that the external signature does not change along a”, and hence must 
equal ext(A)(t) at all states along a”. Hence trace(a”) = ext(A)(t). Finally, by its construction, 
we have | A, = aj for all k. 


Let a= a! ~(s—>4t) ~ a". By the above, a is well defined, and is an execution of A. 
We now have 
ext(A)(t) 
= ([], ert(Ag)(te)) x Ty ext(Ac)(te)) definition of t 
(Tn Pa) x L]e ext(Ae) (te)) (c) 
= (re x (Lo (A) 
Tr 


Also, 
trace(a) 
= trace(a’) ~a-— trace(a”) definition of a 
=  trace(a’) ~a-— ext(A)(t) trace(al’) = ext(A)(t) 
= trace(a’) ~a AT ext(A)(t) =T established above 
x yal a’ € execs*(A)(y'), hence trace(a’) = 7 
xe YY case condition 
For all k € y, 
a [Ax 
= (a'lAg) ~ (sp 4, th) — (a! TAp) Definition 9 and definition of a 
= ah, ~ (sx +4, th) > (a TAg) by (c), a’ TA, = a4, 
= a ~(spr— >A, th) ~ of by the preceeding remarks, a!) A, = aif 
= arp by definition of a,, af: ag = al, ~ (8K +A, th) ~ aif 


For all £ € [n] — 9, 
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al Ag 
= allAy Definition 9 and definition of a 
= soy by (c), a’ Ag = a, 
= oy by our choice of a}, ag = a 


We have just established a € erecs*(A), alj = a; for all j € [n], and trace(a) + y. Hence (*) 
is established for case 1. 


Case 2: y = 7T, 7’ is a pretrace, and [ is an external signature. 
Hence, by Definition 13, we have 
dk € [n] : 
Vk = 7%, A last(y,) is an external signature, 
VEE [n] —k: ye = ¥0¢ A last(y,) =Te, 
zips (Y's Viy-+* In) 
P=Ve x (Teejnj—aPe)- (a) 
For the rest of this case, let 7 range over |[n], and @ range over [n] — k. In (a), we have that 
%; € pretraces*(A;) for all j, since oe < 7; and y; € pretraces*(Aj;) for all 7. Since we also have 
y <yand zips(y7',71,---.7},), we can apply the inductive hypothesis for 7’ to obtain 
Vai, € erecs*(A1)(¥4),--- , Vay, € execs*(An)(¥,) : 
da’ € execs*(A) : trace(a’) & y' A (Ajein] a'|A; = al) (b) 
By assumption, ay € execs(A,)(ye). For all 2, let aj = ap, and let sg = ty = last(a,). Hence 
ay € execs(Ag)(y%), since y; © ye. Define aj, as follows. If [, = last(y,), then let a, = ag. If 
T, # last(y,), then we can find a finite execution a/,, and finite execution fragment a such that 
Ap = a, ~ (Sp a, th) > al, where sz = last(ai,), ext(Ay)(t,) = Ty, and t, = first(a). The 
transition s, —> A, tk must exist, since the external signature of A, changed along yz. Also, ay 
consists entirely of internal actions, and trace(aj/) * I',, i.e., every state along a has external 
signature [',. 
In both cases, ay, € execs(Ax)(y%,). Instantiating (b) for these choices of a’, we obtain, for 
some a’: 
(Aj: a'TAj = a4) Aa! € execs*(A)(7’) A 
(Sk,a, tx) € steps(Ag) A ext (Ax) (th) =Tx (c) 


We now have two subcases. 


Subcase 2.1: Ty, = last(7,). 

So, ay, = ag. Since ay = ay for all ¢ € [n] — k, we get ai; = a; for all j € [n]. Now define a = a’. 
Hence, by (c), we obtain (Aj : af A; = a;). Also by (c), trace(a’) © y', since a’ € execs*(A)(7’). 
Hence trace(a) = 7’. 


By the case assumption, last(7’) is an external signature. So, we have 


last(y') 
=  last(y,) x ([], last(y)) zips’, 74... »%) and Definition 13 
= last(y}) x (Ty) (a) 
= I, x (Pe) subcase assumption 
= EF (a) 
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By the case assumption, y = y'T. Hence y = 7. So, trace(a) © y. We have just established 
a € execs(A), al A; =; for all j € [n], and trace(a) © y. Hence (*) is established for subcase 2.1. 


Subcase 2.2: Ty, # last(y;,). 
Hence ax = a, ~ (8, —>4, th) ~ af, where sy, = last(aj,) and ext(A,) (ty) =Tx- 

Now let s = (s1,.-. , $n), and let t = (t1,... ,t,). By (b) and Definition 9, we have s = last(a’). 
By Definition 6, we have (s,7,t) € steps(A). Let a= a! ~(s —+,4t) ~ a", where a” is the finite- 
execution fragment of A with first state t, and whose transitions are exactly those of aj, with no 
other SIOA making any transitions. Since all the transitions of a// are internal, Definition 6 gives 
us that a” is indeed an execution fragment of A. Furthermore, since the external signature does not 
change along aij, it follows that the external signature does not change along a”, and hence must 
equal ext(A)(t) at all states along a”. Hence trace(a”) = ezxt(A)(t). Finally, by its construction, 
we have a | A, = aj. 

By the above, @ is well defined, and is an execution of A. 


We now have 


ext(A)(t) 
= ext(A,) (te) x ([]p ert (Ae) (te)) definition of ¢ 
= IT, x ([], ext(Ac)(te)) definition of t, 
= Tx Qty te = last(o4), (a) 
= (a) 
And so, 
trace(a) 
=  trace(a’) ~ trace(a’’) definition of a 
=  trace(a’) — ext(A)(t) trace(a"’) = ext(A)(t) 
= trace(a’) ~T ext(A)(t) =T established above 
xe yT a’ € execs*(A)(7’), hence trace(a’) = 7 
~~ case condition 
For k, 
a [Ap 
= (a'lAx) ~ (8% >a, tk) — (a TAg) Definition 9 and definition of a 
= al, ~ (SK a, th) > (a TAg) by (c), a’ TAy = a4, 


= a ~ (55 aon th) ~ (a by the preceeding remarks, a} A;, = a 


= Qt by definition of a, af: ag = al, ~ (sx 4, th) a ay 


For all £ € [n] — k, 


al Ag 
= allAy Definition 9 and definition of a 
= a, by (c), a’ Ag = a, 
= ap by our choice of a, ag = a, 


We have just established a € execs(A), al A; = a; for all j € [n], and trace(a) © y. Hence (*) 
is established for subcase 2.2. Hence Case 2 of the inductive step is established. 


Since both cases of the inductive step have been established, the theorem follows. o 


We use Theorem 7 and the definition of zip (Definition 14) to establish a similar result for 
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traces. 


Corollary 8 (Finite trace pasting for SIOA) Let Aj,... ,An be compatible SIOA, and let A = 
Ay || --+ || An. Let 6 be a finite trace and B),...,Bn be such that 8; € traces*(A;) for all j € [nl]. 
Tf zip(B, 61,...,Bn) holds, then 6 € traces* (A). 


Proof: By Definition 14, there exist pretraces y, 71,..- ,Y%n such that y ¥ £, (A jetny 1; © Bj), and 
zips(Y;Y1;--++In). By Theorem 7, Ja € erecs*(A) : trace(a) & y. Hence trace(a) & 8. Since £ is 
a trace, we obtain trace(a) = GB. Since £ is finite, 6 € traces*(A). O 


Theorem 9 extends theorem 7 to infinite pretraces. That is, if a set of pretraces y; of A; 
respectively, 7 € [n], can be “zipped up” to generate a pretrace y, then y is a pretrace of A = 
Ay || --- || An. The proof uses the result of Theorem 7 to construct an infinite family of finite 
executions, each of which is a prefix of the next, and such that the trace of each finite execution is 
stuttering-equivalent to a prefix of y. Taking the limit of these executions under the prefix-ordering 
then yields an infinite execution a of A whose trace is stuttering-equivalent to y, as desired. 


Theorem 9 (Pretrace pasting for SIOA) Let Aj,...,An be compatible SIOA, and let A = 
Ay || --: || An- Let y be a pretrace. If, for all j € [n], y% € pretraces(A;) can be chosen so that 
zips(Y;Y1;--++In) holds, then ta € execs(A) : trace(a) © ¥. 


Proof: If ¥ is finite, then the result follows from Theorem 7, and Definition 13, clause 1. Hence 
assume that y is infinite for the remainder of the proof. By Proposition 6, we have 


Vi,t > OA ispretrace(y|;) : zips(yli; V1li;--- > Inia) (a) 
For any i > 0, if ispretrace(y|:) and zips(y|i,Vi|i,--- + Inli), then A jejnj tspretrace(y;|;), by Defini- 
tion 13. Hence, by definition of a pretrace, we have 
Aj € [n], Vi, > 0A ispretrace(y|i) : yj] € pretraces(A;) (b) 
By (a,b) and Theorem 7, we have 
Vi,i > 0A ispretrace(y|;) : Sa’ € execs(A) : trace(a’) & Yj (c) 


Now let 2’,i” be such that 7’ < i”, ispretrace(y|i), ispretrace(y|), and there is no i! <i < i” such 
that ispretrace(y|;). By Definition 10, we have that either y|j” = (7|, Ja or |” = (ye), for some 
action a and external signature T. We can show that there exist a” € erecs(A), a’ € execs(A) 
such that a” < a”, trace(a”) & yy, trace(a” ) & YI. This is established by the same argument 
as used for the inductive step in the proof of Theorem 7. In essence, a’ is obtained inductively as 
an extension of a’. We omit the (repetitive) details. 


Let prefixes(y) = {i | i > 0A ispretrace(y|;)}. Hence, from this and (c), we have 


there exists a set {a | i € prefires(y)} such that 
Vi € prefires(y) : a € execs(A) A trace(ai *) yl; 
Vi,i' € prefizes(y),i <i: a’ <a! (d) 


Now let a be the unique minimum sequence that satisfies Vi € pre fixes(y) : a’ < a. a exists by 
(d). Since every triple (s,a,s’) along a occurs in some a’, it must be a step of A. Hence a is an 
execution of A. Furthermore, every element of 7 occurs in some y|;, and hence will occur in the 
trace of a’, by (d). (note that a single element of trace(a) may account for multiple elements of 
y). Hence this element will also occur in the trace of a. Furthermore, the order of such elements 
in trace(a) is the same as their order in y. Finally, trace(a) contains no elements other than 
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those generated by some a’, and hence which occur in y|; and so also in y. Hence we conclude 
trace(a) © 7. O 


We use Theorem 9 and the definition of zip (Definition 14) to establish Corollary 10, which 
extends corollary 8 to infinite traces. Corollary 10 gives our main trace pasting result, and is also 
used to establish trace substitutivity, Theorem 15, below. 


Corollary 10 (Trace pasting for SIOA) Let Aj,..., An be compatible SIOA, and let A = A, || 
--+ || An. Let B be a trace and f,...,Bn be such that 6; € traces(A;) for all j € [n]. Of 
zip(B, P1,.-. 5 Bn) holds, then B € traces(A). 


Proof: By Definition 14, there exist pretraces y, 71,--- Yn such that y x £, Ajetn) Yj & Bj, and 
zips(Y;Y1;--++In). By Theorem 9, da € execs(A) : trace(a) © y. Hence trace(a) & 8. Since £ is 
a trace, we obtain trace(a) = GB. Hence @ € traces(A). O 


3.3. Trace Substitutivity for SIOA 


To establish trace substitutivity, we first need some preliminary technical results. These establish 
that for an execution a of A = A, || --- || An and its projections alAj1,...,alAn, that there exist 
corresponding (in the sense of being stuttering equivalent to the trace of) pretraces 7,71,.-- Yn 
respectively which “zip up,” ie., zips(y,71,---;%) holds. Our first proposition establishes this 
result for finite executions. 


Proposition 11 Let Aj,...,A, be compatible SIOA, and let A = A, || --- || An. Let a be any 
finite execution of A. Then, there exist finite pretraces Y,Y1,--- ,Yn such that y & trace(a), for all 
j € [n], yj © trace(alAj), and zips(y,%1,--- . Yn). 


Proof: By induction on |a|. For the rest of the proof, fix a to be some element of execs*(A)(y7). 


Base case: |a| =0. Then a consists of a single state s. By Definition 6, we have ext(A)(s) = 
[jejnj ext(Aj)(s [A;) Let 7 consist of the single element ezt(A)(s) and for all j € [n], let 7; consist 
of the single element ext(A;)(s!A;). Hence y = J] 
holds. 


Induction step: |a| > 0. There are two cases to consider, according to whether the last 
transition of @ is an external or internal action of A. 


je{n) Vj- By Definition 13, zips(¥,%1;---+%n) 


Case 1: a = a’at for some action a and state t, where a € ext(A)(last(a’)). 
We can apply the induction hypothesis to a’ to obtain 


there exist pretraces y’,71,-.- , 7}, such that 
y= trace(a’), Ajeinj Vj © trace(a'lA;), and zips(y', %4,--- + Yn) (a) 
Let s = last(a’), and for all j, let s; = sl Aj, and t; = tlA;. Let y = {j | a € eat(A;)(s;)}. Let k 
range over y and £ range over [n]— y. Hence, \,a ¢ sig(Ag)(s¢). Hence, by Definition 6, A, s¢ = te. 
By Definition 9, for all k, we have al A, = (a’|A,)at,. Hence trace(alA,) = trace(a’[Az) > 
a ~ eat(Ay) (ty). For all k, we have y, *% trace(a’|A,) by (a). Let yn, = ya — ext(Apg) (te). 
Hence y%, *& trace(alA,). 
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By Definition 9, for all 2, we have al Ag = a’| Ay. Hence trace(al) = trace(a’lé). Let ye = 
Vp ~ ext(Ag)(se) > ext(Ag)(se). From y & trace(a’|Ay) and s = last(a’), we get last(y;) = 
eat(A,)(last(a’le)) = ext(Ag)(s¢). Hence y & yj. For all £, we have y, % trace(a’| Ag) by (a). 
Hence ye © 7; & trace(a’| Ae) = trace(al Ag). Thus, ye © trace(al Ap). 

Let y = 7 ~a~ ext(A)(t). Now trace(a) = trace(a’at) = trace(a’) ~a-— ext(A)(t). From 
(a), y' & trace(a’). Hence y = 7 ~a- ext(A)(t) & trace(a’) ~a — ext(A)(t) = trace(a). So, 
y & trace(a). 

From the previous three paragraphs, we have 

7 & trace(a) A Ajein) 5 © trace(al Aj). (b) 


We now establish zips(y,71,--- in). We show that all clauses of Definition 13 are satisfied for 
Y;V1;-++ >In By (a), zips(7’, 741,--- + 7}),). We will use this repeatedly below. 


By zips(7',71;--- >Yp), we have |y'| = |7,| =--- =|7),|. By construction |y| = |y'| +2, and for 
all j € [n], |yj| = vj] +2. Hence |y| = |y1| =--- = |Yn|- So clause 1 is satisfied. 

By definition of 2, we have A\,a ¢ ext(A,)(s¢). By construction, the last three elements of y¢ 
(for all Z) are all ext(Ay)(s¢). By this and zips(y', 74,.-. ,Yp,), we conclude that clause 2 is satisfied. 

By Definition 6, we have ezrt(A)(t) = Tein) ext(A;)(t;). By construction, we have last(y) = 
ext(A)(t), Aj, last(yn) = ext(Ag)(te), and Aj, last(ye) = ext(Ag)(se). From A, se = te (estab- 
lished above), we get A, last(y~) = ext(A,)(tc). Hence last(y) = [] last(y;). By this and 
zips (Y', 4,++++%p), we conclude that clause 3 is satisfied. 


JE|n] 


By zips(7',71,--- 7%) and the construction of 7,71,--- ,%n (specifically, that a is an external 
action), we conclude that clause 4 is satisfied. 


Hence, we have established zips(y,71,.-- , Yn). Together with (b), this establishes the inductive 
step in this case. 


Case 2: a = a’at for some action a and state t, where a € int(A)(last(a’)). 
We can apply the induction hypothesis to a’ to obtain 
there exist pretraces y',7j,... , 7, such that 
= trace(a’), Njeiny Vj © trace(a’lA;), and zips(7', 71,--- +%n) (a) 

Let s = last(a’), and for all j, let s; = s}A;, and t; = t|Aj;. Since a is an internal action of A, it is 
executed by exactly one of the Aj,...,An. Thus, there is some k € [n] such that a € int(Ag)(sx), 
and for all £ € [n] — k, a ¢ sig(A,)(s¢). Let @ range over [n] — & for the rest of this case. Hence 
Ac Se = te, by Definition 6. 

By Definition 9, we have al Ay = (a’|A,)at,. Hence trace(al Az) = trace(a’|Az) — ext(Ax)(tz)- 
For all k, we have 7, & trace(a’!Aj;,) by (a). Let y, = 7%, — eat(A,)(t,). Hence 7,  trace(al Ax). 

By Definition 9, for all 2, we have al Ag = a’|Ay. Hence trace(alé) = trace(a’lé). Let ye 
Vp — ext( Ag) (se). From y & trace(a’| Ag) and s = last(a’), we get last(y,) = ext(Ag)(last(a'lé 
= ext(Ay)(s¢). Hence ye © yj. For all 2, we have y, & trace(a’|Ag) by (a). Hence yp & % 
trace(a'! Ag) = trace(al Ag). Thus, ye & trace(al Ap). 

Let y = 7 — ext(A)(t). Now trace(a) = trace(a’at) = trace(a’) ~ ext(A)(t). From (a), 
y' & trace(a’). Hence y = y' — eat(A)(t) & trace(a’) ~ ext(A)(t) = trace(a). So, y & trace(a). 


v= Il 


From the previous three paragraphs, we have 


7 & trace(a) A Mein) Vj © trace(al Ay). (b) 
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We now establish zips(y,71,---.Yn). We show that all clauses of Definition 13 are satisfied for 
VWsV1s+++ In By (a), zips(7',74,---7},). We will use this repeatedly below. 


By zips(7'.74;--- +Y%p); we have |7| = |y| =--- =|y,|- By construction |y| = |7’| +1, and for 
all 7 € [n], |yj| = yj] +1. Hence |y| = || =--- = |Yn|- So clause 1 is satisfied. 


By zips(7’.71,---»7,) and the construction of y,71,.-.- ,Yn (specifically, that a is an internal 
action), we conclude that clause 2 is satisfied. 


By Definition 6, we have ext(A)(t) = []jejnj ext(A;)(t;). By construction, we have last(y) = 
eat(A)(t), Aj, last(y,) = eat(Ag)(te), and A, last(ye) = eat(Ag)(se). From A, se = te (estab- 
lished above), we get /\plast(ye) = ext(Ag)(te). Hence last(y) = []jejnj last(yj). By this and 
zips(Y',71,--- + 7%,); we conclude that clause 3 is satisfied. 


By construction, the last two elements of ye (for all 2) are both ext(Az)(s¢). By this and 
zips(7', Vi,+-+ +p); we conclude that clause 4 is satisfied. 


Hence, we have established zips(7,71,--- ; Yn). Together with (b), this establishes the inductive 
step in this case. 


Having established both possible cases, we conclude that the inductive step holds. iW 

Proposition 12 extends the result of Proposition 11 to the (infinite set of) finite prefixes of 
an infinite execution. That is, for every finite prefix a|; of an infinite execution a of A = A, || 
-++ || An, and its projections (a|;)|Ai,... ,(a|;)!An, there exist corresponding (in the sense of be- 
ing stuttering equivalent to the trace of) pretraces 7’ and yi, nas 1%, respectively which “zip up,” 
ie., zips(y',7i,---,7,) holds. Furthermore, the pretraces pale hs ... ,9%-! corresponding to 
a|j—1; (a|;-1) 1 A1,--- ; (a|;-1) l An, respectively are prefixes of the pretraces y’, 7i,... ,7/,, respec- 
tively. 


Proposition 12 Let Aj,...,An be compatible SIOA, and let A = A, || --- || An. Let a be any 
execution of A. Then, there exists a set of tuples of finite pretraces {(7',7{,---,%p,) |O<7< Jal} 
such that: 


1. Vi,0 <4 < al: 7 & trace(al;) A (A jein] yi = trace((al;)lA;)) 
2. Vi,O <i < lal: zips(y', ¥4,... , 7%) 
MOS leliy tea A Naa =) 


Proof: By induction on 1. 


Base case: 1 = 0. Then, alg consists of a single state s. The proof then parallels the base case 
of the proof of Proposition 11. We omit the repetitive details. 


Induction step: 1 > 0. Assume the inductive hypothesis for 0 < i < m, and establish it for 
z= ™m. By the inductive hypothesis, we obtain 
there exists a set of tuples of finite pretraces {(y', yi,--. ,7,) | 0 <i < m} such that: 


1. Vi,0<i<m:7 ®& trace(al;) A (A jem] vi & trace((a|;)1A;)) 
2. Vi,0<i<m: zips(y',¥4,... ,%8) 


3.Mi,0 <4 ami ey A Agen <%)) 
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We now establish the inductive hypothesis for i = m, that is: 
there exists a tuple of pretraces (y, y7",... , 97”) such that 


1. y” & trace(ali) A (Ajein YF" © trace((a|m)1A;)), 
* 
2. zips(y™, Yi", --- Yn), and - 


Se PN Nena ey) 


There are two cases. 
Case 1: a|m = (a|m—1)at for some action a and state t, where a € ext(A)(last(a|m—1))- 


Case 2: a|m = (a|m—1)at for some action a and state t, where a € int(A)(last(a|m_1)). 


To establish clauses 1 and 2 of (*), the proofs for these cases proceeds in exactly the same way 
as the proofs for cases 1 and 2 in the proof of Proposition 11, with a|—1 playing the role of a’, 
and a|m playing the role of a. 


To establish clause 3 of (*), we note that, in both cases 1 and 2 in the proof of Proposition 11, 


Y,Vis+++ 5% are constructed as extensions of y',71,--. , Yj, respectively. Our proof here proceeds 
in exactly the same way, with y"—!,77"7!,... ,yim—! playing the role of 7’, 7{,... , 7, respectively, 
and 7, y{",... , 77, playing the role of 7, 71,... , Yn, respectively. We omit the details. O 


Proposition 13 establishes the result of Proposition 11 for infinite executions. The proof uses 
the result of Proposition 12 and constructs the required pretraces 7,71,.-- ,Yn by taking the limit 
under the prefix-ordering of the y', yj,... , yj, given in Proposition 12, as 7 tends to w. 


Proposition 13 Let Aj,...,An be compatible SIOA, and let A = A, || --- || An. Let a be any 
execution of A. Then, there exist pretraces y,V1,.-., Yn such that y & trace(a), for all j € [nl], 
1; © trace(alA;), and zips(y,V1,--» .Yn)- 


Proof: If q@ is finite, then the result follows from Proposition 11. Hence, assume that q@ is infinite 
in the rest of the proof. By Proposition 12, we have 
there exists a set of tuples of finite pretraces {(7’, yi,... ,7,) | 0 < i} such that: 


1. Vi,0 <i: 7" & trace(al;) A (A jet] vi % trace((a|;)1A;)) 
2 Vi, 0K zips ly) Vo. 39h) 


Oa an Nay a) 


By clause 3 of (a), we can define y to be the unique sequence such that Vi,0 <i: < 7, and, for 
all j € [n], 7; to be the unique sequence such that Vi,0 <7: yj; < 7j;. From clause 2 of (a) and 
Definition 13, we conclude zips(y,71,--- ;Yn)- 


From clause 1 of (a), y © trace(a) A (A jen) Vi © trace(al A;)). 


Hence, the proposition is established. O 


Proposition 14 “lifts” the result of Proposition 13 from executions to traces; it shows that if 
B is a trace of A = Aj, || --- || Ay then there exist traces 61,...,Bp, of Ai,...,An respectively 
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which zip up to 6, that is zip(G,61,...,8n) holds. The proof is a straightforward application of 
Proposition 13. 


Proposition 14 Let Aj,...,A, be compatible SIOA, and let A = A, || --- || An. Let 6 be an 
arbitrary element of traces(A). Then, there exist 81,...,Bn such that (1) for all j € [n] : Bj € 
traces(Aj), and (2) zip(B, Pr, farts , Bn). 


Proof: Since 6 € traces(A), there exists a@ € execs(A) such that trace(a) = 6. Applying 
Proposition 13 to a, we have that there exist pretraces y,71,---,%n such that y = trace(a), 
(Aj € [n] : yj & trace(alA;)), and zips(y, 11.--- 5 Yn): 

For all 7 € [n], let 8; = trace(al|A;). By Theorem 4, alA; € execs(A;). Hence 6; € traces(A;). 
Thus, (1) is established. 


From y; © trace(alA;) and 6; = trace(alA;), we have 8; ~ y;, for all j € [n]. From 
+ & trace(a) and 8 = trace(a), we have y © 3. Hence, by Definition 14 and zips(6,71,.-- .%n), we 
conclude zip(8,81,... ,8n). Hence (2) is established. o 


Theorem 15 gives one of our main results: trace substitutivity. This states that, in a compo- 
sition of n SIOA, if one of the SIOA is replaced by another whose traces are a subset of those of 
the SIOA that was replaced, then this cannot increase the set of traces of the entire composition. 


Theorem 15 (Trace Substitutivity for SIOA) Let Aj,...,An, be compatible SIOA, and let 
A= A; || +++ || An. For some j € [nl], let Aj, Aj; be SIOA such that traces(Aj) C traces(Aj), 
and let A' = A, || --- || Aj || --- || An. Then traces(A) © traces(A’). 


Proof: Let @ be an arbitrary element of traces(A). Then, by Proposition 14, there exist $1,... , Gn 
such that zip(G,61,... , Bn), and Njetny Bb; € traces(A;). By assumption, traces(A;) C traces (A'). 


Hence (3; € traces( Aj). 


Thus, we have 8; € traces(Aj), (Apeinj—j Be € traces(Ax)), and zip(B, Bi,--. , Bn). Hence, by 
Corollary 10, 6 € traces(A’). Since 6 was chosen arbitrarily, we have traces(A) C traces(A’). O 


4 Simulation 


We define a notion of forward simulation [LV95] from one SIOA to another. Our notion requires 
the usual matching of every transition of the implementation by an execution fragment of the 
specification. It also requires that corresponding states have the same external signature. This 
gives us a reasonable notion of refinement, in that an implementation presents to its environment 
only those interfaces (i-e., external signatures) that are allowed by the specification. 


Definition 15 (Forward simulation) Let A and B be SIOA. A forward simulation from A to 
B is a relation f over states(A) x states(B) that satisfies: 


1. If s € start(A), then f[s]M start(B) F 0, 


2. If s—+,4s' andt € f[s], then there exists t' € f[s'],t1,a1,t2,a2 such that 
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(a) t ee ti = +B te es t', 

(b) a1, a2 contain only internal actions of Y, 

(c) ext(B)(u) = ext(A)(s) for all u along ay (including t,t), 
(d) ext(B)(v) = exrt(A)(s’) for all v along ag (including t,t’). 


We say A < B if a forward simulation from A to B exists. Our notion of correct implementation 
with respect to safety properties is given by trace inclusion, and is implied by forward simulation. 


Theorem 16 /f A < B then traces(A) C traces(B). 


Proof: Let f be a forward simulation from A to B. Then, we can show that for every execution 


Q = 8001810289::: of A, there exists an execution a’ = ugbju,bou2--- of B such that a and a’ 
correspond in the following sense. There exists a total, nondecreasing mapping m : {0,1,... ,|a|} 
{0,1,... ,|a’|} such that: 

1. m(0) =0, 


2. (8i,Umi)) € f for all 0 <i < |al, 
3. trace (Smi—1) bmG—1)41 *** Om(é) Sm(a)) = trace (si-1a;8;) for all 0 <7 < Jal, and 
4. for all 7,0 < 7 < |a’|, there exists an i, 0 <i < Jal, such that m(i) > 7. 


The mapping m is referred to as an index mapping from a to a’ with respect to f. We can then 
use this correspondence to establish that trace(a@) = trace(a’). Since a is an arbitrary execution of 
A, it follows that traces(A) C traces(B). 


The details of the above proof are essentially the same as the proofs of similar results in 
[GSSAL93], and are therefore omitted. The only difference is that we have to accomodate our 
different definition of a trace, which represents external signatures as well as external actions. Our 
notion of forward simulation is designed to exactly accomodate our notion of trace in this respect. 
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5 Configurations and Configuration Automata 


Suppose a is an action of SIOA A whose execution has the side-effect of creating another SIOA B. 
To model this, we must keep track of the set of “alive” SIOA, i.e., those that have been created but 
not destroyed (we consider the automata that are initially present to be “created at time zero”). 
Thus, we require a transition relation over sets of SIOA. We also need to keep track of the current 
global state, i-e., the tuple of local states of every SIOA that is alive. Thus, we replace the notion 
of global state with the notion of “configuration,” i.e., the set A of alive SIOA, and a mapping S 
with domain A such that S(A) is the current local state of A, for each SIOA A € A. 


A configuration contains within it a set of SIOA, each of which embodies a transition relation. 
Thus, the possible transitions out of a configuration cannot be given arbitrarily, as when defining 
a transition relation over “unstructured” states. Rather, these transitions should be “intrinsically” 
determined by the SIOA in the configuration. Below we define the intrinsic transitions between 
configurations, and then define a “configuration automaton” as an SIOA whose transition relation 
respects these intrinsic transitions. Configuration automata are our principal semantic objects. 
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Definition 16 (Configuration, Compatible configuration) A configuration is a pair (A,S) 
where 


e A is a finite set of signature I/O automaton identifiers, and 


e S maps each A€ A to ans € states(A). 
A configuration (A,S) is compatible iff, for all AG A, BE A, AFB: 


1. sig(A)(S(A)) N int(B)(S(B)) =0, and 
2. out(A)(S(A)) A out(B)(S(B)) = 0. 


The compatibility condition is the usual I/O automaton compatibility condition [LT89], applied 
to a configuration. If C = (A,S) is a configuration, then we use (A,s) € C as shorthand for 
AE AAS(A) =s. 

A configuration is a “flat” structure in that it consists of a set of SIOA (identifier, local-state) 
pairs, with no grouping information. Such grouping could arise, for example, by the composition 
of subsystems into larger subsystems. This grouping will be reflected in the states of configuration 
automata, rather than the configurations themselves, which are not states, but are the semantic 
denotations of states. We defined a configuration to be a set of SIOA identifiers together with 
a mapping from identifiers to SIOA states. Hence, every SIOA is uniquely distinguished by its 
identifier. This our formalism does not a priori admit the existence of clones, as discussed in the 
introduction. 


Definition 17 (Intrinsic signature of a configuration) Let C = (A,S) be a compatible con- 
figuration. Then we define 


© auts(C) =A 

© map(C) =S 

© out(C) = Uses out(A)(S(A)) 

e in(C) = (Une in(A)(S(A))) — out(C) 
© int(C) = Use int(A)(S(A)) 

© ext(C) = (in(C), out(C)) 

© sig(C) = (in(C), out(C), int(C)) 


We call sig(C) the intrinsic signature of C, since it is determined solely by C. 


Let_C = (A,S) be a configuration. Define reduce(C) = (A',S|A’), where A’ = {A | A € 
A and sig(A)(S(A)) 4 0}. C is a reduced configuration iff C = reduce(C). 


A consequence of this definition is that an empty configuration cannot execute any transitions. 
Note also that we do not define transitions from a non-compatible configuration. Thus, the initial 
configuration of a transition is guaranteed to be compatible. However, the final configuration of a 
transition may not be compatible. This may arise, for example, when two SIOA are involved in 
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executing an action a, and their signatures in their final local states may contain output actions in 
common. Another possibility is when a new SIOA is created, and its signature in its initial state 
violates the compatibility condition (Definition 16) with respect to an already existing SIOA. 


We now define the intrinsic transitions TT that can be taken from a given configuration 
(A, S). Our definition is parametrized by a set y of SIOA identifiers which represents SIOA which 
are to be “created” by the execution of the transition. This set is not determined by the transition 
itself, but rather by the configuration automaton which has (A,S) as the semantic denotation of 
one of its states. Thus, it has to be supplied to the definition as a parameter. 


Definition 18 (=>, ) Let (A,S), (A',S') be arbitrary reduced compatible configurations, and let 
y C Autids. Then (A,S) =s, (A',S’) iff there exists a compatible configuration (A",S") such 
that 


1. AY =AUg, 

2. for all Ae A” — A: 8" (A) © start(A), 

3. for all A € A: if a € sig(A)(S(A)) then S(A) *4.4.S"(A), otherwise S(A) = S"(A), 
4. (A',S') = reduce((A”,S”)) 


All the SIOA with identifiers in g—.A (= A” — A) are “created” in some start state (Clause 2). 
Also, we apply the reduce operator to the intermediate configuration (A”,S”) to obtain the final 
configuration (A’,S’) resulting from the transition. This removes all SIOA which have an empty 
signature, and is our mechanism for destroying SIOA. An SIOA with an empty signature cannot 
execute any transition, and so cannot change its state. Thus it will remain forever in its current 
state, and will be unable to interact with any other SIOA. Thus, an SIOA “self-destructs” by 
moving to a state with an empty signature. This is the only mechanism for SIOA destruction. In 
particular, we do not permit one SIOA to destroy another, although an SIOA can certainly send a 
“please destroy yourself” request to another SIOA. 


Definition 19 (Configuration Automaton) A configuration automaton X consists of the fol- 
lowing components 


1. A signature I/O automaton sioa(X). 
For brevity, we define states(X) = states(sioa(X)), start(X) = start(sioa(X)), sig(X) = 
sig(sioa(X)), steps(X) = steps(sioa(X)), and likewise for all other (sub)components and 
attributes of sioa(X). 


2. A configuration mapping config(X) with domain states(X) and such that config(X)(x) is a 
reduced compatible configuration for all x € states(X) 


3. For each x € states(X), a mapping created(X)(x) with domain sig(X)(x) and such that 
created (X)(x)(a) C Autids for all a € sig(X)(x). 


and satisfies the following constraints 


1. If x € start(X) and (A,s) € config(X)(x), then s € start(A) 
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2. If (x,a,y) € steps(X) then config(X)(x) >, config(X)(y), where y = created(X)(x)(a). 


3. If x € states(X) and config(X)(2)=SyD for some action a, y = created(X)(x)(a), and 
reduced compatible configuration D, then Ay € states(X) : config(X)(y) = D and (x,a,y) € 
steps(X) 


4. For all x € states(X) 
(a) out(X)(x) C out(config(X)(x)) 
(b) in(X)(x) = in(config(X)(x)) 


(c) int(X)(ax) D int(config(X)(x)) 
(d) out(X)(x) U int(X)(x) = out(config(X)(x)) U int(config(X)(x)) 


The above constraints are needed to properly reflect the intrinsic transitions ve that a com- 
patible configuration is capable of: all of the successor configurations generated by such transitions 
must be represented in the states and transitions of X. This is a significant difference with the 
basic I/O automaton model: there, states are either “atomic” entities, or tuples of tuples of ... of 
atomic entities. Thus, states, in and of themselves, embody no information about their possible 
successor states. That information is given by the transition relation, and there are no constraints 
on the transition relation itself: any set of triples (state, action, state) which respects the input 
enabling requirement can be a transition relation. 


Since an SIOA that is created “within” a configuration automaton always remains within 
that automaton, we see that configuration automata serve as a natural encapsulation boundary 
for component creation. Even if an SIOA migrates and changes its location, it always remains a 
part of the same configuration automaton. Migration and location are not primitive notions in our 
model but are build on top of configuration automata and variable signatures, see Section 7 below. 


In the sequel, we write config(X)(x) +x, config(X)(y) as an abbreviation for 
“config(X)(x) >, config(X)(y) where y = created(X)(«) (a).” 


Definition 20 Let X be a configuration automaton. For each x € states(X), define auts(X)(x) = 
auts(config(X)(x)). That is, auts is a mapping from each state x of X to the set of SIOA in 
config (X )(x). 


Definition 21 (Execution, trace of configuration automaton) A configuration automaton X 
inherits the notions of execution fragment and execution from sioa(X). Thus, a is an execution 
fragment (execution) of X iff it is an execution fragment (execution) of sioa(X). execs(X) de- 
notes the set of executions of configuration automaton X. X also inherits the notion of trace from 
sioa(X). Thus, 8 is a trace of «x iff it is a trace of sioa(X). traces(X) denotes the set of traces of 
configuration automaton X. 


We write C “+x C’ iff there exists an execution fragment a (with |a| > 1) of X starting in C 
and ending in C’. 


5.1. Parallel Composition of Configuration I/O Automata 


We now deal with the composition of configuration automata. 
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Definition 22 (Union of configurations) Let C, = (A1,S)) and Cy = (Ao, S2) be configura- 
tions such that AyN Ag =. Then, the union of Cy and C2, denoted Cy U Co, is the configuration 
C =(A,S) where A= A, U Ag, and S agrees with S; on Ai, and with Sz on Ag. 


It is clear that configuration union is commutative and associative. Hence, we will freely use 
the n-ary notation C; U---UC;,, (for any n > 1) whenever /\ auts(C;) N auts(C;) = 0. 


i,9€[n] 143 
Definition 23 (Compatible configuration automata) Let X),...,Xn, be configuration au- 
tomata. X1,...,Xn are compatible iff, for every (11,... ,@%n) € states(X1) x +--+ x states(Xy), 


1. forall i,j € [n], i 4 Jj, auts(config(X;)(x;)) N auts(config(X;)(x;)) = 0. 
2. config(X1)(a1) U--+ U config(Xn)(an) is a reduced compatible configuration. 


3. {sig(X1)(x1),... , sig(Xn)(an)} is a set of compatible signatures 


Definition 24 (Composition of configuration automata) Let X),... ,Xn, be compatible con- 
figuration automata. Then X = Xj, || --- || Xn is the state machine consisting of the following 
components: 

1. sioa(X) = sioa(X1) || --- || stoa(Xp) 


2. A configuration mapping config(X) given as follows. For each x = (1,...,%n) € states(X), 
config(X )(x) = config(X1)(a1) U-+- U config(Xn) (an). 


3. For each x € states(X), a mapping created(X)(x) with domain sig(X)(x) and given as fol- 
lows. For each a € sig(X)(x), created(X)(x)(a) = Uaesig(x: (ns) ie[n] created (X;)(x;)(a). 


As in Definition 19, we define states(X) = states(sioa(X)), start(X) = start(sioa(X)), sig(X) = 
sig(sioa(X)), steps(X) = steps(sioa(X)), and likewise for all other (sub)components and attributes 
of sioa(X). 


Proposition 17 Let Xj,...,Xn, be compatible configuration automata. Then X = Xj, || --- || Xn 
is a configuration automaton. 


Proof: We must show that X satisfies the constraints of Definition 19. Since Xj,...,X,» are 
configuration automata, they already satisfy the constraints. The argument for each constraint 
then uses this together with Definition 24 to show that X itself satisfies the constraints. The 
details are as follows, for each constraint in turn. 


Constraint 1. Let « € start(X) and (A,s) € config(X)(x). Then, x = (x1,...,2%n) where x; € 
start(X;) for 1 <i <n. By Definition 24, config(X)(x) = config(X1)(x1) U--- U config(Xp)(Xn). 
Hence (A, s) € config(X;)(x;) for some j € [n]. Also, x; € start(X;). Since X; is a configuration 
automaton, we apply Constraint 1 to X; to conclude s € start(A). Hence, Constraint 1 holds for 
Xx, 


Constraint 2. Let (x,a,y) be an arbitrary element of steps(X). We will establish 
config (X) (a) => x x config(X)(y). 
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For brevity, let A; = stoa(X;) for 7 € [n]. Now (z,a,y) € steps(X). So (x, a, y) € steps(sioa(X)) 


by Definition 24. Also by Definition 24, sioa(X) = sioa(X1) || --- || sioa( Xp) = Ait || --+ || An. So, 
(x,a,y) € steps(A, || --- || An). Since x,y € states(Ay || --- || An), we can write x, y as (11,... ,2n), 
(y1,--. Yn) respectively, where x;,y; € states(A;) for i € [n]. From Definition 6, there exists a 


nonempty vy C [n] such that 
(Aico @ € sig( Ai) (aa) A (ai, a, ys) € steps(Ai)) A (Aieinjw@ & sig(Ai) (ai) Axi = yi) (a) 
Each X;, 7 € [n], is a configuration automaton. Hence, by (a) and constraint 2 applied to each X;, 
LEY, 
Niecy (config (Xi) («i) +x; n; config(Xi)(yi)). (b) 
Also by (a), 
Nietnj—p (config (Xi) (ai) = config( Xi) (yi))- (c) 


Since X1,...,Xn are compatible, we have, by Definition 23, that auts(config(X;)(xi)) N 
auts(config(X;)(x;)) = 0 forall i,7 € [n], i # Jj, ie., all SIOA in these configurations are unique, 
and that config(X1)(#1) U--- U config(Xn)(an) is a compatible configuration. Since X,...,Xn 
are configuration automata, each of config(X1)(x1),... , config(Xn) (an) is a reduced configuration, 
by Definition 19. Hence config(X1)(x1) U--+U config(Xn)(an) is also reduced, and is therefore a 
reduced compatible configuration. 

By Definition 24, created(X)(x)(a) = ne sig(x,)(0:) ic fn] created (X;)(x;)(a). By this, (b,c), and 
Definition 18, we obtain 

(Ujefnj config (Xi) (#1) >x,0 (Uiein) config(Xi)(y:)). (d) 
By Definition 24, config(X)(x) = Usejnj config(Xi) (wi) and config(X)(y) = Uiejny config( Xi) (yi). 
Hence 
config (X ) (x) > xx config(X)(y), 


and we are done. 


Constraint 3. Let x be an arbitrary state in states(X) and D an arbitrary reduced compati- 
ble configuration such that config(X)(«) Sx, D. We must show Jy € states(X) : (x,a,y) € 
steps(X) and config(X)(y) = D. 


We can write x as (%1,...,%p) where x; € states(X;) for i € [n]. 


Since Xj,...,X, are compatible, we have, by Definition 23, that auts(config(X;)(ai)) N 


a 
) forall 1,7 € [n], i #9, (thus, all SIOA in these configurations are unique) 


auts(config(Xj)(xj)) = 
and that config(X1)(x1) U--+U config(Xp)(an) is a compatible configuration. Also, from Defini- 
tion 24, config(X)(x) = be config (X;)(a;). Hence from config(X) (2) +x, D, 
(ieinj config (Xi) (xi)) x0 D. (a) 
Hence, from Definition 18, there exists a nonempty y C [n] such that 
(Nicy @ € 819(Xi) (2) A Niewnj-o@ & 89(Xi) (24) (b) 


We now define D;, 1 <i <n, as follows. 


For i € [n] — , Di = config(Xi)(2i). 
For 7 € y, Dj = (DA;, map(D)|DA;), where 
DA, ={A:A€D and [A © auts(config(X;)(x;)) or A € created(X;)(x;)(a)]}. 


Hence, by definition of D;, Definition 18, (a), and the compatibility of X1,..., Xn, we have 
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Mico (config (Xj) (ri) ane: Di) (c) 

Now each X;, 7 € [n], is a configuration automaton. Hence, from (c) and constraint 3 applied to 
Xj, ie ; 

Nees dy; € states(X;) : config(X;)(y;) = D; and (xj, a, y;) € steps(X;) (d) 


Let y = (y1,--- ,Yn) where, for i € y, y; is given by (d), and for 7 € [n] — y, y; = 2;. Hence, 
for i € [n], y; € states(X;). Since X1,... ,X, are compatible configuration automata, we get, by 
Definitions 19 and 23, 

auts (config (X;)(yi)) OM auts(config(X;)(y;)) = 9 for all i,7 € [n], 1 AJ, and 

config(X1)(y1) U--+ U config(Xn)(yn) is a reduced compatible configuration. (e) 
Thus, in particular, all SIOA in the configurations config(X1)(y1),... , config(Xn)(Yn) are unique. 
From (d), for 7 € », config(X;)(y;) = D;. By definition of D;, for i € [n] — y, config(X;)(x;) = Dj. 
By definition of y;, for i € [n] — y, y; = xj. Hence, for i € [n] — y, config(X;)(y;) = Dj. Combining 
these, we get 

Niejny Config (Xi) yi) = Di (f) 

From the definition of D; and Definition 18, we have that D = D,U---UD,. Also, by Definition 24, 
config(X)(y) = Uieinj config(Xi) (yi). By this, (f), and D = Di U---UDn, 


config(X)(y) = D. (g) 

By definition of y;, for i € [n] — », yj = 2. By (d), for 7 € y, (a;,a,y;) € steps(X;). From these 
and (b), we get 

Nico & € sig (X;) (2) A (2,4, yi) € steps (X;) 

Niefnj-p @ % 819(Xi)(2i) A Ya = Bi. 
From this, 7 = (#1,...,2n), y = (Y1,--- +Yn), and Definitions 6 and 24, we conclude (,a,y) € 
steps(X). From this and (g), we have 

(x,a,y) € steps(X) and config(X)(y) = D, 


and we are done. 
Constraint 4. We treat each subconstraint in turn. 


Constraint 4a: out(X)(x) C out(config(X)(x)). 
By Definitions 24 and 6, 
out(X)(@) = Usefn) out(Xi)(). (a) 
Since the X; are configuration automata, they all satisfy constraint 4a. Hence 
Asein) ud (Xi) (as) © out eonfig(X;)(c)). 

Taking the unions of both sides, over all 7 € [n], we obtain 

(cin out(X,)(0%)) © (eta out (contig Xi) 2). () 
By Definition 24, config(X)(x) = Viet] config(X;)(a;). By assumption, X,... , Xp, are compati- 
ble configuration automata. Hence, by Definition 23, Ujc),j config(Xi)(2i) is a reduced compatible 
configuration. So, from Definition 17, we obtain 


out (config (X)(22)) = Uren out( config(Xi)(i)). (.) 
From (a,b,c), we obtain out(X) (x) = Ujen) out (Xi) (21) © (Uie{nj out (config (Xi) (xi))) = out (config(X)(x)), 
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as desired. 


Constraint 4b: in(X)(x) = in(config(X)(x)). By Definitions 24 and 6, 
im(X)(2) = (en) im(Xi)(#s)) — (sepa) oUt(Xi) (#1)). (a) 
Since the X; are configuration automata, they all satisfy constraints 4a and 4b. Hence 
Nie jn] (Xi) (ai) = in(config( Xi) (xi), 


Nie{n) 0M (Xi) (@i) & out (config (Xi) (xi)). (b) 
Since the X; are configuration automata, they all satisfy constraint 4d. Hence 
Nieinj OUt( Xi) (wa) U int (Xj) (xi) = out (config(X;)(xi)) U int (config (Xi) (zi). (c) 
And so, 
Nie jn] OUt (config (Xi) (xi)) € out( Xj) (ai) U int (Xj) (xi). (d) 


Since out(X;)(a;) N int(X;)(x;) = 0 for alli € [n], by the partitioning of actions into input, output, 
and internal, we have, by (b,d) 
Niejnj OUt(Xi) (ai) = out (config (Xi) (xi)) — int( Xi) (xi). (e) 
Taking the unions of both sides, over all 7 € [n], in (b) and (e), we obtain 
(Uie{nj #2 (Xi) (@)) = (Vie tny in (config(Xi)(xi))), 
(Uie inj oUt (Xi) (2i)) = (Uieiny out (config (Xi) (axi)) — int(X;)(z%)). (f) 
From (a,f), we obtain 
ir(X)() = (etn i (config (X;)(28))) — sey out (config(Xi)(0:)) — int(XN(ai)).—@) 
From (c), 
Aci int(X:)( cts) © ont (config (X;) (ae)) U imt( config (X:) (i). (h) 
Now (out (config(X;)(x;)) U int(config(X;)(x4))) N in(config(X;)(xi)) = 0, for all i € [n], by the 
partitioning of actions into input, output, and internal. Hence, by (h), 


Nie{n) Mt(Xi) (i) 1 in(config(X;)(ai)) = 0. (i) 
From (b,i), and the compatibility of X1,..., Xn, we get 
(sein int Xs) (s)) seta in (config(Xi)(2xi))) = 0. () 
From (g,j) 
in(X)(e) = (yepny in (config(X:) (s))) — (eqn; out (config(Xi)(:))). (k) 


By Definition 24, config(X)(x) = Uietn] config(X;)(2;). By assumption, X1,... , Xp, are compatible 
configuration automata. Hence, by Definition 23, Uj<j,) config(Xi)(xi) is a reduced compatible 
configuration. So, from Definition 17, we obtain 


in(config(X)(x)) = (Ujefnj in(config (Xi) (ai) — (Uiefnj out (config (Xi)(2i))). (1) 


Finally, from (k,l), we obtain in(X)(x) = (Ujejnj in (config (Xi) (2i))) — (Uieinj out (config (Xi)(xi))) 
= in(config(X)(x)), as desired. 


Constraint 4c: int(X)(x) D int(config(X)(x)). 
By Definitions 24 and 6, 


int(X)(x) = Uiejnj imt(Xi) (as). (a) 
Since the X; are configuration automata, they all satisfy constraint 4c. Hence 
Nie{nj rt(Xi) (ai) 2 int (config(X;) (xi). 
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Taking the unions of both sides, over all 7 € [n], we obtain 

(Use fry mt (Xi) (21)) 2 (ie fry int (config( Xs) (a:)))- (b) 
By Definition 24, config(X)(x) = Usetny config(X;)(a;). By assumption, X1,... , Xp, are compati- 
ble configuration automata. Hence, by Definition 23, Use tn] config(X;)(a;) is a reduced compatible 
configuration. So, from Definition 17, we obtain 


int(config(X)(2)) = Uefa int (config(X:) («)). (c) 


From (a,b,c), we obtain int(X) (x) = Uietn] int(X;)(a;) D (Uietn] int( config (X;)(x;))) = int(config(X )(x)), 
as desired. 


Constraint 4d: out(X)(x) U int(X)(x) = out(config(X)(x)) U int( config (X)(x)). 
By Definitions 24 and 6, 
out(X)(z) = Usejny out (Xi) (ai), 
int(X) (a2) = Uzefny int(X;) (a). (a) 
Since the X; are configuration automata, they all satisfy constraint 4d. Hence 
Niejn] (out (Xi) (ai) U int(X;)(2i)) = (out (config(X;)(xi)) U int (config(X;)(xi))). 
Taking the unions of both sides, over all i € [n], we obtain 
(Vien) out (Xi) (vi) U int( Xi) (2i)) = (Uieinj out (config (Xi) (xi) U int (config(X;)(xi))). — (b) 
By Definition 24, config(X)(x) = Usetny config(X;)(a;). By assumption, X,... , Xn, are compati- 
ble configuration automata. Hence, by Definition 23, Viet] config(X;)(a#;) is a reduced compatible 
configuration. So, from Definition 17, we obtain 


out (config (X)(x)) = Ujefny out( config (Xi) (2:)), 
int(config(X )(x)) = Uietn] int (config (X;)(2;)). (c) 
From (a,b,c), we obtain (out(X)(x) U int(X)(x)) = (Ujejnj out(Xi) (ai) U int(Xj)(2i)) = 


(Uiemn] out(config(X;)(x;)) U int(config(X;)(2;))) = out(config(X)(x)) U int(config(X)(x)), as de- 
sired. 


Since we have established that X satisfies all the constraints, the proof is done. O 


5.2 Action Hiding for Configuration Automata 


Definition 25 (Action hiding for configuration automata) Let X be a configuration automa- 
ton and & a set of actions. Then X \% is the state machine consisting of the following components: 


1. sioa(X \ ¥) = sioa(X) \ B 
2. A configuration mapping config(X \ 4) = config(X) 


3. For each x € states(X \ %), a mapping created(X \ X)(x) = created (X) (x) 
As in Definition 19, we define states(X) = states(sioa(X)), start(X) = start(sioa(X)), sig(X) = 
sig(sioa(X)), steps(X) = steps(sioa(X)), and likewise for all other (sub)components and attributes 
of sioa(X). 


Proposition 18 Let X be a configuration automaton and & a set of actions. Then X \ &% is a 
configuration automaton. 
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Proof: We must show that X\» satisfies the constraints of Definition 19. Since X is a configuration 
automaton, constraints 1, 2, and 3 hold for X. From Definitions 25 and 7, we see that the only 
components of X and X \¥ that differ are the signature and its various subsets. Now constraints 1, 
2, and 3 do not involve the signature. Hence, they also hold for X \ &. 


We deal with each subconstraint of Constraint 4 in turn. 


Constraint 4a: out(X \ %)(x) C out(config(X \ X)(z)). 
By Definition 25, out(X \ X)(x) = out(sioa(X \ X))(x) = out(sioa(X) \ X)(x). By Definition 7, 
out(sioa(X) \ %)(a) = out(sioa(X))(x)—X. By Definition 19, which is applicable since X is a con- 
figuration automaton, out(sioa(X))(x) = out(X)(x). Hence, out(sioa(X))(x)—X = out(X)(x)—¥. 
Putting the above equalities together, we obtain 
out(X \ X)(x) = out(X)(x) — &. (a) 
Since X is a configuration automaton, it satisfies constraint 4a. Hence 
out(X)(x) C out(config(X)(zx)). 
(b) 
By Definition 25, config(X \ %) = config(X). Hence, 
out (config(X)(x)) = out(config(X \ X)(x)). (c) 
From (a,b,c), we obtain out(X \ )(x) C out(X)(x) C out(config(X)(x)) = out(config(X \ X)(x)), 
as desired. 


in(config(X \ ¥)(x)). 

By Delinition 25, in(X \ &) x) = in(stoa(X \ X))(xz) = in(sioa(X)\X)(x). By Definition 7, 
in(stoa(X) \ X)(a) = in(stoa(X)) 2). By Definition 19, which is applicable since X is a configura- 
tion automaton, sn (aioa(X ))(x) = in(X) (x). Putting the above equalities together, we obtain 


in(X \ X)(x) = in(X)(z). (a) 
Since X is a configuration automaton, it satisfies constraint 4b. Hence 
in(X)(x) = in(config(X )(x)). (b) 
By Definition 25, config(X \ = = config(X). Hence, 
in(config(X)(x)) = in(config(X \ ¥)(x)). (c) 


ee ee we obtain in(X \ X)(a) = in(X)(x) = in(config(X)(x)) = in(config(X \ X)(x)), as 


Constraint 4c: int(X \ X)(x) D int(config(X \ ¥)(x)). 

By Definition 25, int(X \ X)(x) = int(sioa(X \ X))(a) = int(sioa(X) \ X)(x). By Definition 7, 
int(sioa(X) \ X)(x) = int(sioa(X))(x) U (out(sioa(X))(#) NS). By Definition 19, which is appli- 
cable since X is a configuration automaton, int(sioa(X))(x) = int(X)(x) and out (sioa(X)\(a) = 
out(X)(x). Hence, int(sioa(X) \ X)(a) = int(X)(x) U (out(X)(#) NU). Putting the above equali- 
ties together, we obtain 


int(X \ X)(x2) = int(X)(x) U (out(X)(x) 1%). (a) 
Since X is a configuration automaton, it satisfies constraint 4c. Hence 
int(X )(x) 2 int(config(X)(x)). (b) 


By Definition 25, config(X \ %) = config(X). Hence, 
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int(config(X)(x)) = int(config(X \ X)(x)). (c) 
From (a,b,c), we obtain int(X \ X)(x) D int(X)(x) D int(config(X)(x)) = int(config(X \ X)(x)), 
as desired. 


Constraint 4d: out(X \ X)(x) U int(X \ X)(x) = out(config(X \ %)(x)) U int (config(X \ X)(x)). 
In the proofs for Constraints 4a and 4c above, we established (the equations marked “(a)”) 
out(X \ X)(x) = out(X)(x) — &, 
int(X \ X)(a) = int(X)(x) U (out(X)(2) NX). 
Now (out(X)(a) — ©) U (out(X)(x) MX) = out(X)(x), and so 


out(X \ %)(x) U int(X \ X)(2) = out(X)(x) U int(X)(z). (a) 
Since X is a configuration automaton, it satisfies constraint 4d. Hence 
out(X)(x) U int(X)(x) = out(config(X)(x)) U int(config(X)(x)). (b) 


By Definition 25, config(X \ %) = config(X). Hence, 

out( config (X)(x)) U int(config(X)(x)) = out(config(X \ )(x)) U int(config(X \ X)(x)). (ce) 
From (a,b,c), we obtain out(X \ %)(a#)Uint(X \ Y)(x) = out(X)(x)Uint(X) (x) = out (config (X)(x))U 
int(config(X)(x)) = out(config(X \ X)(x)) U int(config(X \ %)(x)), as desired. 


Since we have established that X satisfies all the constraints, the proof is done. O 


5.3 Action Renaming for Configuration Automata 


Definition 26 Let C = (A,S) be a compatible configuration and let p be an injective mapping 
from actions to actions whose domain includes U,- 4 acts(A). Then we define p(C) = (p(A), p(S)) 
where p(A) = {p(A) | A € A}, and p(S)(p(A)) = S(A) for all A € A. 


Definition 27 (Action renaming for configuration automata) Let X be a configuration au- 
tomaton and let p be an injective mapping from actions to actions whose domain includes Ucestates(X) sig(X)(C). 
Then p(X) consists of the following components: 


1. A signature I/O automaton p(sioa(X)) 


2. A configuration mapping config(p(X)) with domain states(X) and such that config (p(X))(x) = 
p(config(X)(x)). 


3. For each x € states(p(X)), a mapping created(p(X))(x) with domain sig(p(X))(x) and such 
that created (p(X ))(x)(p(a)) = {p(A) | A € created(X)(x)(a)} for all a € sig(X)(x). 


Proposition 19 Let X be a configuration automaton and let p be an injective mapping from actions 
to actions whose domain includes Ucestates(x) 819(X )(C). Then p(X) is a configuration automaton. 


Proof: We must show that p(X) satisfies the constraints of Definition 19. Since X is a configuration 
automaton, constraints 1, 2, and 3 hold for X. From Definitions 27 and 8, we see that the states of 
p(X) and the configurations in config (p(X ))(x) are unchanged by the applying p. Hence constraint 1 
also holds for p(X). 
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Constraints 2, and 3 hold since p is injective, so we can simply replace a by p(a) uniformly in 
the transition relation of both p(X) and the configurations in config(p(X))(x). The constraints for 
p(X) then follow from the corresponding ones for X. 


By Definitions 26 and 27, we have out(config(p(X))(x)) = p(out(config(X)(x))). and out(p(X))(a) = 
p(out(X)(#)). Since constraint 4a holds for X, we have out(X)(x) C out(config(X)(x)). Hence 
p(out(X)(x)) C p(out(config(X)(x))). Hence out(p(X))(x) C out(config(p(X))(x)). Hence con- 
straint 4a holds for p(X). 


The other subconstraints of constraint 4 can be established in a similar manner. o 


5.4 Multi-level Configuration Automata 


Since a configuration automaton is an SIOA, it is possible for a configuration automaton to create 
another configuration automaton. This leads to a notion of “multi-level,” or “nested” configuration 
automata. The nesting structure will be well-founded, that is, the binary relation “X is created by 
Y’ will be well-founded in all global states. 


This ability to nest entire configuration automata makes our model very flexible. For example, 
administrative domains can be modeled in a natural and straightforward manner. It should also 
be possible to emulate the operations of the ambient calculus [CG00]. 


6 Compositional Reasoning for Configuration Automata 


We now establish compositionality results for configuration automata analogous to those established 
above for SIOA. 


The notions of execution and trace of a configuration automaton X depend solely on the 
SIOA component sioa(X). Furthermore, the SIOA component of a composition of configuration 
automata depends only on the SIOA components of the individual configuration automata (see 
Definition 24). It follows that the results of Section 3 carry over for configuration automata with 
no modification. We restate them for configuration automata solely for the sake of completeness. 


6.1 Execution Projection and Pasting for Configuration Automata 


Definition 28 (Execution projection for configuration automata) Let X = X, || --: || Xn 
be a configuration automaton. Let a be a sequence Coa, Ci agC2...Cj_1ajC;... where Vj > 0,C; = 
(Cj i525 Cyny © states(X) and Vj > 0,07 /< sig(X)(C;_-1). Then, define C;|X; = Cy. Also, 
define alX; (1 <i<n) to be the sequence resulting from: 


1. replacing each C; by its 1’th component Cj;, and then 


2. removing all aj;Cj4 such that a; ¢ sig(X;)(Cj—1,)- 


Our execution projection results states that the projection of an execution (of a composed 
configuration automaton X = X;, || --- || X,) onto a component X;, is an execution of X;. 


Theorem 20 (Execution projection for configuration automata) Let X = X, || --- || Xn 
be a configuration automaton. If a € execs(X) then al Xj; € execs(X;). 
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Our execution pasting result requires that a candidate execution a of a composed automaton 
X = X, || --- || Xp, must project onto an actual execution of every component X;, and also that 
every action of a not involving X; does not change the configuration of X;. In this case, @ will be 
an actual execution of X. 


Theorem 21 (Execution pasting for configuration automata) Let X = X, || --- || Xn be 
a configuration automaton. Let a be a sequence Coa,Cya2C2...Cj_1ajC;... where Vj > 0,C; = 
(Cy1,.-+,Cjn) € states(X) and Vj > 0,a; € sig(X)(Cj-1). Furthermore, suppose that 


1. for alll <i<n: alX; € execs(X;), and 
a for all 9 >0: if aj ¢ sig (Xi)(C;_1,) then C44 = Oj. 


Then, a € execs(X). 


6.2 Trace Pasting for Configuration Automata 


Corollary 22 (Trace pasting for Configuration Automata) Let X,,... ,Xn be compatible con- 
figuration automata, and let X = Xj || --- || Xn. Let 8 be a trace and (j,...,Bn be such that 
2; € traces(X;) for all j € [n]. If zip(B,G1,-.. , Bn) holds, then B € traces(X). 


6.3. Trace Substitutivity for Configuration Automata 


Theorem 23 (Trace Substitutivity for Configuration Automata) Let Xj,...,Xn be com- 
patible configuration automata, and let X = X || --- || Xn. For some j € [n], let X;,Xj be 
configuration automata such that traces(X;) C traces(X}), and let X' = Xj || --- || Xj || «++ || Xn- 
Then traces(X) C traces(X"‘). 


7 Modeling Dynamic Connection and Locations 


We stated in the introduction that we model both the dynamic creation/moving of connections, and 
the mobility of agents, by using dynamically changing external interfaces. The guiding principle 
here is the notion that an agent should only interact directly with either (1) another co-located 
agent, or (2) a channel one of whose ends is co-located with the agent. Thus, we restrict interaction 
according to the current locations of the agents. 


We adopt a logical notion of location: a location is simply a value drawn from the domain 
of “all locations.” To codify our guiding principle, we partition the set of SIOA into two subsets, 
namely the set of agent SIOA, and the set of channel SIOA. Agent SIOA have a single location, 
and represent agents, and channel SIOA have two locations, namely their current endpoints. We 
assume that all configurations are compatible, and codify the guiding principle as follows: for any 
configuration, the following conditions all hold, (1) two agent SIOA have a common external action 
only if they have the same location, (2) an agent SIOA and a channel SIOA have a common external 
action only if one of the channel endpoints has the same location as the agent SIOA, and (3) two 
channel SIOA have no common external actions. 
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8 Example: A Travel Agent System 


Our example is a simple flight ticket purchase system. A client requests to buy an airline ticket. 
The client gives some “flight information,” f, e.g., route and acceptable times for departure, arrival 
etc., and specifies a maximum price f.mp they can pay. f contains all the client information, 
including mp, as well as an identifier that is unique across all client requests. The request goes to 
a static (always existing) “client agent,” who then creates a special “request agent” dedicated to 
the particular request. That request agent then visits a (fixed) set of databases where the request 
might be satisfied. If the request agent finds a satisfactory flight in one of the databases, i.e., a 
flight that conforms to f and has price < mp, then it purchases some such flight, and returns a 
flight descriptor fd giving the flight, and the price paid (fd.p) to the client agent, who returns it to 
the client. The request agent then terminates. 


The agents in the system are: (1) ClientAgt, who receives all requests from the client, (2) 
ReqAgt(f), responsible for handling request f, and (3) DBAgt,,d € D, the agent (i.e., front-end) 
for database d, where D is the set of all databases in the system. In writing automata, we shall 
identify automata using a “type name” followed by some parameters. This is only a notational 
convenience, and is not part of our model. 


We first present a specification automaton, and then the client agent and request agents of 
an implementation (the database agents provide a straightforward query/response functionality, 
and are omitted for lack of space). When writing sets of actions, we make the convention that all 
free variables are universally quantified over their domains, so, e.g., {informa(f, flts), confa(fd, ok?)} 
within action selecty(f) below really denotes {informg(f, flts), confa(fd, ok?) | fd € F, fits C F, ok? € 
Bool}. 


In the implementation, we enforce locality constraints by modifying the signature of ReqAgt(f) 
so that it can only query a database d if it is currently at location d (we use the database names 
for their locations). We allow ReqgAgt(f) to communicate with ClientAgt regardless of its location. 
A further refinement would insert a suitable channel between ReqAgt(f) and ClientAgt for this 
communication (one end of which would move along with ReqAgt(f)), or would move ReqAgt(f) 
back to the location of ClientAgt. 


We use “state variables” in, out, and int to denote the current sets of input, output, and 
internal actions in the SIOA state signature. 
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Specification: Spec 


Signature 


Input: 
request(f), where f € F 
informa(f, flts), where d € D, f € F, and flts CF 
confa(f, fd, ok?), where d € D, f, fd € F, and ok? € Bool 
selecta(f), where d € D and f € F 
adjustsig(f), where f € F 
initially: {request(f) : f € F} U {selecta(f): de D,f € F} 
Output: 
querya(f), where d€ D and f € F 
buya(f, fits), where d € D, f € F, and flts CF 
response(f, fd, ok?), where f, fd € F and ok? € Bool 
initially: {response(f, fd, ok?) : f, fd € F, ok? € Bool} 


Internal: 
initially: @ 


State 


statuss € {notsubmitted, submitted, computed, replied}, status of request f, initially notsubmitted 


trans sq € Bool, true iff the system is currently interacting with database d on behalf of request f, initially false 


okfits; 4 © F, set of acceptable flights that has been found so far, initially empty 


resps C F x F x Bool, responses that have been calculated but not yet sent to client, initially empty 


x¢,4 € N, bound on the number of times database d is queried on behalf of request f before a negative reply is returned to 


the client, initially any natural number greater than zero 


Actions 


Input request(f) 
Eff: status <— submitted 


Input selecty(f) 
Eff: in 
(in U {informa(f, fits), confa(fd, ok?)}) — 
{informa:(f, fits), confy: (fd, ok?) : d’ 4 d}; 
out <— 
(out U {querya(f), buya(f, fd)}) = 
{querya: (f), buya (f, fd): d’ # d} 


Output queryg(f) 
Pre: statuss = submitted A x+,q > 0 
Eff: Lf,d — Lf,d — I; 

trans; q <— true 


Input informa(f, fits) 
Eff: okflts, 4 <— okfits; 4 U 
{fd : fd € fits A fd.p < f.mp} 


Output buy,(f, fits) 
Pre: statuss = submitted A 

flts = okflts; g AOA transy.4 
Eff: skip 


We now give the client agent and request agents of the implementation. The initial configura- 


Input confa(f, fd, ok?) 
Eff: transys q + false; 
if ok? then 
resps < resps U {(f, fd, true) }; 
statuss <- computed 
else 
if Vd: v- q = 0 then 
resps <— resps U {(f, 1, false) }; 
statuss <- computed 
else 
skip 


Output response(f, fd, ok?) 
Pre: (f, fd, ok?) € resps \ status = computed 
Eff: status, + replied 


Input adjustsig(f) 
Eff: in < in- 
{informa(f, fits), confa(f, fd, ok?)}; 
out <— out— 


{querya(f), buya(f, fd)} 


tion consists solely of the client agent ClientAgt. 
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Client Agent: ClientAgt 


Signature 


Input: 

request(f), where f € F 

req-agent-response(f, fd, ok?), where f, fd € F, and ok? € Bool 
Output: 

response(f, fd, ok?), where f, fd € F and ok? € Bool 
Internal: 

create(ClientAgt, ReqAgt(f)), where f € F 


State 
reqs C F, outstanding requests, initially empty 


created C F, outstanding requests for whom a request agent has been created, but the response has not yet been returned to 
the client, initially empty 


resps C F x F x Bool, responses not yet returned to client, initially empty 


Actions 
Input request(f) Input req-agent-response(f, fd, ok?) 
Eff: reqs < regs U {(f)} Eff: resps < resps U {(f, fd, ok?) }; 


done + done U {f } 


Output create(ClientAgt, ReqAgt(f)) 
Pre: f € reqs \f € created Output response(f, fd, ok?) 
Eff: created « created U {f} Pre: (f, fd, ok?) € resps 
Eff: resps < resps — {(f, fd, ok?) } 


ClientAgt receives requests from a client (not portrayed), via the request input action. ClientAgt 
accumulates these requests in regs, and creates a request agent RegAgt(f) for each one. Upon re- 
ceiving a response from the request agent, via input action req-agent-response, the client agent adds 
the response to the set resps, and subsequently communicates the response to the client via the 
response output action. It also removes all record of the request at this point. 
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Request Agent: ReqAgt(f) where f € F 


Signature 
Input: 


informa(f, fits), where d € D and flts CF 


confa(f, fd, ok?), where d € D, fd € F, and ok? € Bool 


move;(c,d), where d € D 


move;(d,d’), where d,d’ € D andd#d’ 


terminate(ReqAgt(f)) 

initially: {move;(c,d), where d € D} 
Output: 

querya(f), where d € D 

buya(f, fits), where d € D and flts C F 


req-agent-response(f, fd, ok?), where fd € F and ok? € Bool 


initially: @ 
Internal: 
initially: @ 


State 


location € cUD, location of the request agent, initially c, the location of ClientAgt 


status € {notsubmitted, submitted, computed, replied}, status of request f, initially notsubmitted 


transq € Bool, true iff ReqAgt(f) is currently interacting with database d (on behalf of request f), initially false 


DBagents C D, databases that have not yet been queried, initially the list of all databases D 


donedb € Bool, boolean flag, initially false 


done € Bool, boolean flag, initially false 


tkt € F, the flight ticket that RegAgt(f) purchases on behalf of the client, initially L 


okfits, C F, set of acceptable flights that RegAgt(f) has found so far, initially empty 


Actions 


Input move; (c, d) 
Eff: location < d; 
donedb + false; 
in « {informg(f, fits), confa(f, fd, ok?) }; 
out <— {querya(f), buya(/, fd), 
req-agent-response(f, fd, ok?)}; 
int — 


Output queryg(f) 
Pre: location = dAd€ DBagents A tkt = L 
Eff: DBagents ~ DBagents — {d}; 

transq + true 


Input informa(f, fits) 
Eff: okfltsy < okfltsg U 
{fd : fd € fits A fd.p < f-mp}; 
if okfltsg = 0 then 
transq < false; 
int + {move;(d, d’) : 
d' € DBagents — {d}} 


Output buyg(f, fits) 
Pre: location = dA fits = okfitsg #0 A 

tkt = LA transg A status = submitted 
Eff: skip 
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Input confa(f, fd, ok?) 
Eff: transg < false; 
if ok? then 
tkt — fd; 
status <- computed 
else 
if DBagents = 0 then 
status <- computed 
else 
skip 


Input move; (d, d’) 
Eff: location < d’; 
donedb + false; 
in + {informg:(f, flts), confy: (f, fd, ok?)}; 
out <— {query g (f), buyq/ (f, fd), 
req-agent-response(f, fd, ok?)}; 
int —@ 


Output req-agent-response(f, fd, ok?) 
Pre: status = computed A 
| (fd = tkt # LA ok?) Vv 
(DBagents = 0 A fd = L A 70k?) 


Eff: status < replied; 
in — 9; 
out «+ 0; 
int — 0 


ReqAgt(f) handles the single request f, and then terminates itself. RegAgt(f) has initial 
location c (the location of ClientAgt) traverses the databases in the system, querying each database 
d using queryg(f). Database d returns a set of flights that match the schedule information in f. 
Upon receiving this (informg(f, fits)), ReqgAgt(f) searches for a suitably cheap flight (the dfd € fits : 
fd.p < f.mp condition in informg(f, fits)). If such a flight exists, then RegAgt(f) attempts to buy 
it (buya(f, flts) and confa(f, fd, ok?)). If successfull, then ReqAgt(f) returns a positive response to 
ClientAgt and terminates. ReqAgt(f) can return a negative response if it queries each database 
once and fails to buy a flight. 


We note that the implementation refines the specification (provided that all actions except 
request(f) and response(f, fd, ok?) are hidden) even though the implementation queries each database 
exactly once before returning a negative response, whereas the specification queries each database 
some finite number of times before doing so. Thus, no reasonable bisimulation notion could be es- 
tablished between the specification and the implementation. Hence, the use of a simulation, rather 
than a bisimulation, allows us much more latitude in refining a specification into an implementation. 


9 Conclusions and Further Research 


There are many avenues for further work. We will investigate the relationship between DIOA and 
the a-calculus, and will in particular look into embedding the z-calculus into DIOA. This should 
provide insight into the relationship between the two models, and into the implications of the choice 
of primitive notion; automata and actions for DIOA versus names and channels for a-calculus. We 
note that the use of unique SIOA identifiers is crucial to our model: it enables the definition 
of the execution projection operator, and the establishment of execution projection/pasting and 
trace pasting results. This then yields our trace substitutivity result. The a-calculus does not 
have such identifiers, and so the only compositionality results in the a-calculus are with respect 
to simulation, rather than trace inclusion. Since simulation is incomplete with respect to trace 
inclusion, our compositionality result has wider scope than that of the 7-calculus. When the traces 
of A are included in those of B, but there is no simulation from A to B, our approach will allow B 
to be replaced by A, and we can automatically conclude that correctness is preserved, i.e., n0 new 
behaviors are introduced in the overall system. In approaches relying on simulation, the verification 
of correctness would have to be redone for the entire system, necessitating much greater effort. 


We will also investigate the use of DIOA as a semantic model for object-oriented programming. 
Since we can express dynamic aspects of OOP, such as the creation of objects, directly, we feel this is 
a promising direction. Embedding a model of objects into DIOA would then automatically provide 
the metatheory for verification and refinement of OO programs. 


Agent systems should be able to operate in a dynamic environment, with processor failures, 
unreliable channels, and timing uncertainties. Thus, we need to extend our model to deal with fault- 
tolerance and timing. We shall also extend the framework of [Att99] for verifying liveness properties 
to our model. This should be relatively straightforward, since [Att99] uses only properties of forward 
simulation that should also carry over to our setting. 
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